bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341

Analysis

max time kernel
84s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Size

8.3MB
MD5

cd470530fc3d2d35f04a225d8134d7cf
SHA1

41dcbe4ecc0f1c2b02d5f84e955c9faf2dececa1
SHA256

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341
SHA512

64eb417aaf812b5bfecee16c4005f987946bbcadb6569ce3fd5e2d8871bfab30653ee12dfc243117dc257f57c738d6bc69d49e342e353b95b1b94524e3805230

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

Executes dropped EXE 2 IoCs

Processes:

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exebc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

pid	process
1300	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

Loads dropped DLL 1 IoCs

Processes:

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

pid process

2628 bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

pid	process
2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/920-130-0x00000000005C0000-0x0000000001204000-memory.dmp	themida
behavioral2/memory/920-131-0x00000000005C0000-0x0000000001204000-memory.dmp	themida
behavioral2/memory/920-132-0x00000000005C0000-0x0000000001204000-memory.dmp	themida
behavioral2/memory/920-133-0x00000000005C0000-0x0000000001204000-memory.dmp	themida
behavioral2/memory/920-146-0x00000000005C0000-0x0000000001204000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

Drops file in System32 directory 43 IoCs

Processes:

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\profapi.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\imm32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\imagehlp.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\win32u.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\ole32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\shlwapi.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\sechost.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\shell32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\shcore.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\system32\uxtheme.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\system32\shfolder.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\GDI32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\psapi.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\kernel.appcore.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\combase.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\user32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\Wldp.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\apphelp.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\System32\advapi32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\opengl32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

pid process

920 bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

pid	process
920	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

Drops file in Windows directory 1 IoCs

Processes:

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

648
648
648

pid	process
648
648
648

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

description	pid	process
Token: SeDebugPrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeTcbPrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeTcbPrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeLoadDriverPrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeCreateGlobalPrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeLockMemoryPrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: 33	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeSecurityPrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeTakeOwnershipPrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeManageVolumePrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeBackupPrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeCreatePagefilePrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeShutdownPrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeRestorePrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: 33	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Token: SeIncBasePriorityPrivilege	2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

pid process

2628 bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

pid	process
2628	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exebc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

description	pid	process	target process
PID 920 wrote to memory of 1300	920	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
PID 920 wrote to memory of 1300	920	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
PID 920 wrote to memory of 1300	920	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
PID 1300 wrote to memory of 2628	1300	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
PID 1300 wrote to memory of 2628	1300	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe	bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe

C:\Users\Admin\AppData\Local\Temp\bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
"C:\Users\Admin\AppData\Local\Temp\bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\extracted\bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\extracted\bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\CET_Archive.dat
Filesize
5.7MB

MD5
b9e160496989b782f859e8a4f4cb3b9a

SHA1
8e7a01d69d3309aa2929c4a3a28e6c60490b4fe0

SHA256
822ea6ebca1be677732ac93f0030b8550469674e7652ca8d150b556c924c7276

SHA512
794eb75b1c14a0069249d23833918d008ffaad14baa0a293073015f01e219bf190fbe03da71b22e29d2876394821f8b41b0976df21c927956e562bc0082a83ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Filesize
189KB

MD5
a65c29111a4cf5a7fdd5a9d79f77bcab

SHA1
c0c59b1f792c975558c33a3b7cf0d94adc636660

SHA256
dab3003436b6861ae220cc5fdcb97970fc05afdf114c2f91e46eed627ce3d6af

SHA512
b37ef3351e8f46f7183550254acce99b54e0199fc37a02cca78b471dc2d8b697769afdaf7e6cfe89422cfed65a8dcc6d158ef52aba5b0ac9350ea05607fefd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Filesize
189KB

MD5
a65c29111a4cf5a7fdd5a9d79f77bcab

SHA1
c0c59b1f792c975558c33a3b7cf0d94adc636660

SHA256
dab3003436b6861ae220cc5fdcb97970fc05afdf114c2f91e46eed627ce3d6af

SHA512
b37ef3351e8f46f7183550254acce99b54e0199fc37a02cca78b471dc2d8b697769afdaf7e6cfe89422cfed65a8dcc6d158ef52aba5b0ac9350ea05607fefd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\extracted\CET_TRAINER.CETRAINER
Filesize
5KB

MD5
64f18f947cf0146091d77e7089f8b04b

SHA1
eea177d4db3f87997ca2adc39f3485b5ddc75bce

SHA256
efbf41ed6b47259dc8edbc2506971897b29976edf5754911b6f7c6c8d389f486

SHA512
8f6d8e7537ef163b284a9937a7e7f50789ec3a0ddab007372bf727c38c8a3ba014dcd7c6a31718fdde9bc9aca69c6cce471460fa0595f3200f1907222277c17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\extracted\bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Filesize
14.2MB

MD5
f8c759f9a0b69169b84422cb2da1b984

SHA1
49794299a7a03c6139777552b73064653aa92800

SHA256
45c371ddc8aa5d89bbe5ac7219db10cecfd0036450cc90512777eb561fa48ace

SHA512
953215a6f7726d68b2310cde8f0130eecab82e0a2a5dfecee5adbd2a4d5cf0f4e83aa77c13ff2f3365ec8b48147a57e7be69ba627a2d2ba8e79d4bd6b62b366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\extracted\bc41a4fcf3b8dd2ee5c1828b53f3ea8ae8ae6e1decdc665aff985ecce6b8f341.exe
Filesize
14.2MB

MD5
f8c759f9a0b69169b84422cb2da1b984

SHA1
49794299a7a03c6139777552b73064653aa92800

SHA256
45c371ddc8aa5d89bbe5ac7219db10cecfd0036450cc90512777eb561fa48ace

SHA512
953215a6f7726d68b2310cde8f0130eecab82e0a2a5dfecee5adbd2a4d5cf0f4e83aa77c13ff2f3365ec8b48147a57e7be69ba627a2d2ba8e79d4bd6b62b366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\extracted\defines.lua
Filesize
11KB

MD5
33077a49abdbfff3eb149d5c27929444

SHA1
ed3ffc77432b5b55851b9e7a1c2bb47b74b12e90

SHA256
9cae73a9cb1146308669974d685f1f8dff5d0ab1aa650fbce862da67775516f4

SHA512
bfe6c4a759fde521f0e792233abee011c877f3e9a91422bf2dfc6b96f3df9c6b612a7fed5d22b1fa96a7488633d82841425e63e0f48e43ff3a532a83204282ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\extracted\lua53-64.dll
Filesize
515KB

MD5
13100b2466570bf52c48725199c4e3c6

SHA1
166cc1d388de4d292d4cd9331ef65ee3a158a31e

SHA256
002dcb8ae68f51d54927b05e4726601640c6ddd6a063cc306640a7245b655f57

SHA512
5e916722673d431417400836e9555148b433a4f9a15e06076ec3eb1c0ba986915c4f4d6940e7f88dcbb2f9599458e14d692bcaaa56dc1e2253005ab295d8589d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET768C.tmp\extracted\lua53-64.dll
Filesize
515KB

MD5
13100b2466570bf52c48725199c4e3c6

SHA1
166cc1d388de4d292d4cd9331ef65ee3a158a31e

SHA256
002dcb8ae68f51d54927b05e4726601640c6ddd6a063cc306640a7245b655f57

SHA512
5e916722673d431417400836e9555148b433a4f9a15e06076ec3eb1c0ba986915c4f4d6940e7f88dcbb2f9599458e14d692bcaaa56dc1e2253005ab295d8589d

Download Submit
memory/920-138-0x0000000077050000-0x00000000771F3000-memory.dmp

Filesize
1.6MB

Download
memory/920-130-0x00000000005C0000-0x0000000001204000-memory.dmp

Filesize
12.3MB

Download
memory/920-133-0x00000000005C0000-0x0000000001204000-memory.dmp

Filesize
12.3MB

Download
memory/920-132-0x00000000005C0000-0x0000000001204000-memory.dmp

Filesize
12.3MB

Download
memory/920-131-0x00000000005C0000-0x0000000001204000-memory.dmp

Filesize
12.3MB

Download
memory/920-146-0x00000000005C0000-0x0000000001204000-memory.dmp

Filesize
12.3MB

Download
memory/1300-134-0x0000000000000000-mapping.dmp

Download
memory/2628-139-0x0000000000000000-mapping.dmp

Download