073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef

Analysis

max time kernel
152s
max time network
131s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Size

170KB
MD5

0b25185fbe39bbbd8aab2daaa0de0924
SHA1

e0fea4569f3b5b924293fdb0c8c3313c222280ca
SHA256

073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef
SHA512

3a2b86afb2107c8e536bfea1825808a1d8be0370a5105df9163585f28d7835ea31673397e5163d20c9e259cec66b38a081525c1436707baa9a7dd6d099acbe06
SSDEEP

3072:DOp8KRaug8q9/ZXoOIeBBMLE0Y11rP3jfkvpoGoFjT7rEzmZ/B9Ww2CUQGO/bF0P:iCKRaczLE0ofkvpoGoqzY3zF0rth

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1652	wayfu.exe

Deletes itself 1 IoCs

pid	Process
1140	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	wayfu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{83B74EA1-2FD2-87D8-8EE2-E151CE8AAADF} = "C:\\Users\\Admin\\AppData\\Roaming\\Veif\\wayfu.exe"	wayfu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 1140	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4E8D3426-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe
1652	wayfu.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeManageVolumePrivilege	1176	WinMail.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe
Token: SeSecurityPrivilege	1652	wayfu.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1176	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1652	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	26
PID 1404 wrote to memory of 1652	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	26
PID 1404 wrote to memory of 1652	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	26
PID 1404 wrote to memory of 1652	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	26
PID 1652 wrote to memory of 1272	1652	wayfu.exe	15
PID 1652 wrote to memory of 1272	1652	wayfu.exe	15
PID 1652 wrote to memory of 1272	1652	wayfu.exe	15
PID 1652 wrote to memory of 1272	1652	wayfu.exe	15
PID 1652 wrote to memory of 1272	1652	wayfu.exe	15
PID 1652 wrote to memory of 1364	1652	wayfu.exe	14
PID 1652 wrote to memory of 1364	1652	wayfu.exe	14
PID 1652 wrote to memory of 1364	1652	wayfu.exe	14
PID 1652 wrote to memory of 1364	1652	wayfu.exe	14
PID 1652 wrote to memory of 1364	1652	wayfu.exe	14
PID 1652 wrote to memory of 1412	1652	wayfu.exe	17
PID 1652 wrote to memory of 1412	1652	wayfu.exe	17
PID 1652 wrote to memory of 1412	1652	wayfu.exe	17
PID 1652 wrote to memory of 1412	1652	wayfu.exe	17
PID 1652 wrote to memory of 1412	1652	wayfu.exe	17
PID 1652 wrote to memory of 1404	1652	wayfu.exe	25
PID 1652 wrote to memory of 1404	1652	wayfu.exe	25
PID 1652 wrote to memory of 1404	1652	wayfu.exe	25
PID 1652 wrote to memory of 1404	1652	wayfu.exe	25
PID 1652 wrote to memory of 1404	1652	wayfu.exe	25
PID 1652 wrote to memory of 1176	1652	wayfu.exe	27
PID 1652 wrote to memory of 1176	1652	wayfu.exe	27
PID 1652 wrote to memory of 1176	1652	wayfu.exe	27
PID 1652 wrote to memory of 1176	1652	wayfu.exe	27
PID 1652 wrote to memory of 1176	1652	wayfu.exe	27
PID 1404 wrote to memory of 1140	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	28
PID 1404 wrote to memory of 1140	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	28
PID 1404 wrote to memory of 1140	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	28
PID 1404 wrote to memory of 1140	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	28
PID 1404 wrote to memory of 1140	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	28
PID 1404 wrote to memory of 1140	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	28
PID 1404 wrote to memory of 1140	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	28
PID 1404 wrote to memory of 1140	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	28
PID 1404 wrote to memory of 1140	1404	073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe	28
PID 1652 wrote to memory of 1816	1652	wayfu.exe	29
PID 1652 wrote to memory of 1816	1652	wayfu.exe	29
PID 1652 wrote to memory of 1816	1652	wayfu.exe	29
PID 1652 wrote to memory of 1816	1652	wayfu.exe	29
PID 1652 wrote to memory of 1816	1652	wayfu.exe	29
PID 1652 wrote to memory of 1380	1652	wayfu.exe	30
PID 1652 wrote to memory of 1380	1652	wayfu.exe	30
PID 1652 wrote to memory of 1380	1652	wayfu.exe	30
PID 1652 wrote to memory of 1380	1652	wayfu.exe	30
PID 1652 wrote to memory of 1380	1652	wayfu.exe	30
PID 1652 wrote to memory of 1592	1652	wayfu.exe	31
PID 1652 wrote to memory of 1592	1652	wayfu.exe	31
PID 1652 wrote to memory of 1592	1652	wayfu.exe	31
PID 1652 wrote to memory of 1592	1652	wayfu.exe	31
PID 1652 wrote to memory of 1592	1652	wayfu.exe	31

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1364

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1272

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe
  "C:\Users\Admin\AppData\Local\Temp\073a2f9c152b933ac174c5c67a5f74f6083818ba0bd36573d3e79dd2970da7ef.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Roaming\Veif\wayfu.exe
    "C:\Users\Admin\AppData\Roaming\Veif\wayfu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9f904da4.bat"
    3⤵
    - Deletes itself
    PID:1140

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1265781848-130108047079684019797902409256766064512013494721103994614-1132183659"
1⤵
PID:1816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9f904da4.bat

Filesize
307B

MD5
965d4375998c84f441b2261c9d6f1bbe

SHA1
28075db496bbbede442679828fccf4768f406a1e

SHA256
0d879576a0ca5dcc385504857f7fb4b887acb1633a3367cb383e3680fc88330c

SHA512
6f4f34e06e8868b13865ae0db57c1b2c62c85ebc87a072a43f5fb6a84dfbd94a4467cbb437fc3ace0fa036660f983c7810adf5353efa1fba5b0a02d71a6559b5

Download Submit
C:\Users\Admin\AppData\Roaming\Emle\kyim.kis

Filesize
398B

MD5
5050aa4ee95c2dcdbf70972e0436fc78

SHA1
11d356cc3c8841cbb7277c7d658765ae6cb5f923

SHA256
d6b8cbba429d0ae48beab43cf1e142009f95ee8560a0894a2b680fba7401d8b6

SHA512
d41a06bd61568413432225113a2cd8addd698cc682158963ca93c9f4d191e2b2fed2f80bd9bd378fcff72e78f07df1bb82583b90950cb7152482faa4ccbf50a9

Download Submit
C:\Users\Admin\AppData\Roaming\Veif\wayfu.exe

Filesize
170KB

MD5
0a6fcce068c644100f505ee5daeb8f36

SHA1
afa26c870f34a431ccf2047de2f654a07a81d2ca

SHA256
40817add580fa401efc0f44de863b09affccb6256a62b85d45b3027fda374479

SHA512
901ac473b31b1b2b098582980e527e5b69cf70972b6a8cf66d2a681cf5aabb2abcea3517822f6a64ab78490a49e9e578771c56927c61245650f1828ae57368b6

Download Submit
C:\Users\Admin\AppData\Roaming\Veif\wayfu.exe

Filesize
170KB

MD5
0a6fcce068c644100f505ee5daeb8f36

SHA1
afa26c870f34a431ccf2047de2f654a07a81d2ca

SHA256
40817add580fa401efc0f44de863b09affccb6256a62b85d45b3027fda374479

SHA512
901ac473b31b1b2b098582980e527e5b69cf70972b6a8cf66d2a681cf5aabb2abcea3517822f6a64ab78490a49e9e578771c56927c61245650f1828ae57368b6

Download Submit
C:\debug.txt

Filesize
11KB

MD5
3ec86a6e87b90e02924e7c6773f59fdc

SHA1
a63f7bf7a752891dec64a96d89694d029f9338b1

SHA256
5bb3026ca8e265417d1dcc041f0f170c3cb916ba95b7b387430fcb0894aa83dd

SHA512
e6cd8963550c8e3fb547266e5a61c474dfd2296f72477ac443ac430bfa116628c4edf305d64fb8a25cb24d5ff146b1d94df1d48b979f285818e60cada775e0ec

Download Submit
C:\debug.txt

Filesize
11KB

MD5
cf30ee6ef53781837b3b52dbdaacc4f7

SHA1
f7e0731edb985d011092d7af617b58df1d7337de

SHA256
eb95dda245c96a8762a31b068b7ce350be13ca176ddcc8b5b24d8da01c50c05d

SHA512
d2b135c88b1d426ca0037e51ba5c2e27a02246b80cc811d02a439bdd930b475653ac27d09e5bcfb316917a381086554421b0bbf793f4a1daf49a49edc5758751

Download Submit
C:\debug.txt

Filesize
11KB

MD5
6099625176207d4848dc711808634add

SHA1
7578e19034cc100143da1cd4ad46740b697d5ee7

SHA256
bcdee9ed59b3ba85d212c99ac13b1b28f8ee1007d4d6c491bb6ea3099c3b5f16

SHA512
aade0783d8cfc0edb175986ab80feb87b3860615820e32dc2f7f95f17b830758ead8c451ea10368ad9113ac3144ca2ce944fabec9cfab26e70fedaadb00b4668

Download Submit
C:\debug.txt

Filesize
13KB

MD5
7b53376eee9b9d1eeb0e37561d774e4d

SHA1
6bc6598a190ebb2567a95591b19776ebf82d285c

SHA256
e923db6ab7a49c0bedaca570c208dd619c755aaf3740aee40a3d7b1ff1ffe1e9

SHA512
c318989bbe0dac0c4182ddf1278043a1959208ae588e72990f80eeffc59cfbfe6a84157a1cb9245f89f945fdef23bf9def9ae2c8a54ab523bc91b1021a9358d9

Download Submit
C:\debug.txt

Filesize
13KB

MD5
7b53376eee9b9d1eeb0e37561d774e4d

SHA1
6bc6598a190ebb2567a95591b19776ebf82d285c

SHA256
e923db6ab7a49c0bedaca570c208dd619c755aaf3740aee40a3d7b1ff1ffe1e9

SHA512
c318989bbe0dac0c4182ddf1278043a1959208ae588e72990f80eeffc59cfbfe6a84157a1cb9245f89f945fdef23bf9def9ae2c8a54ab523bc91b1021a9358d9

Download Submit
C:\debug.txt

Filesize
15KB

MD5
539cc43e13d9c94ac86d95d21c2c28c7

SHA1
265453cf17c7dcad1073d5a55e194c96ff6879b8

SHA256
2c7b2daaeca21fe1d361b40ff18c7d63d246662cbf27984816e11b1161b07809

SHA512
40f9b7add28a07c3daa4826804e3ed98e4ea52e49957afc2b326b07a2e4beacde13c9879cda7d7924ce164f01fc48384d9cb71b576262b2f600ac4a4c3421f41

Download Submit
C:\debug.txt

Filesize
16KB

MD5
a466907d439a56124a0809895a637392

SHA1
d7e9dc29d7d27ada38ea632c7345434ccdac7b5e

SHA256
746433b7bf9b5f3bbca1dfe3d56ca330125d0e5113adb27d00917b55f570f599

SHA512
696e77f1292698940ef47842cb07bc602e259747fb0c22e5086ec90ab7e86d93fe15d592f0cbd4ea7be423d09869a27546a06523d39cb151e50d9d6a80d68f4d

Download Submit
C:\debug.txt

Filesize
16KB

MD5
7c2cabf04b359a932dcecff1a39a49c5

SHA1
43a097a38b3a566670ecc341b23bb41ce5851817

SHA256
d0f51033b81c5d9b16dc234165daa35953c8f44ef319c0e3abf1f029ee8c5237

SHA512
3979c6d6f0f7a037335f920976d1a30e0b943017c0dcea933b98ffba1dbfbc92a23b4419cb99aca5b32cb1103a4496f60bbb49b1f10775fea19841257f700ba5

Download Submit
C:\debug.txt

Filesize
20KB

MD5
957323cec8f56b131bdeee065163492e

SHA1
bf471222f433dbc2ae04ff572ae2a8af5879fc78

SHA256
57315ebe3f0b8ce4df3ceb75c4b148c0f9727bc744c2910b45fd471e03669530

SHA512
14e0cbbe666b80b93f8b06e004388b8969005b24ffbe38c6fa4db16f18cc194857e2e67a65250961c081f501199d08a47e723695a28760f21d268db79804e686

Download Submit
C:\debug.txt

Filesize
2KB

MD5
528935893288c582435fb63cff287d1d

SHA1
5162710f657078058e3d174ee936f65a62861f3b

SHA256
703f58f0402933a56e4c0584e8ad0f0dbefc5b67b83f7fdcb19835226ea51e5d

SHA512
cc347dd78da0ee1d9374d2c46012f6b349bd416cfa46f098de82a494eadd35a015929deb779d56bb62fd65140526d562e5b9738292ee5ce35f0f213a27acbcef

Download Submit
C:\debug.txt

Filesize
5KB

MD5
b5bfbd6a1ba07572403d20de71ff3268

SHA1
46e4dd18e43e043a2caead45f088446f475f0349

SHA256
c196e795fa4a1d700af3074f4c6ad506b7701ae486813d075a8cb713f0046d54

SHA512
17908e2617d1018d1ecbe653ece94410460e7ce2b28daa040d53028d188ee0dbe9f301857e6757b58ca1cf29a905564d51fccbe4191efc4ed2cc591a2738e519

Download Submit
\Users\Admin\AppData\Roaming\Veif\wayfu.exe

Filesize
170KB

MD5
0a6fcce068c644100f505ee5daeb8f36

SHA1
afa26c870f34a431ccf2047de2f654a07a81d2ca

SHA256
40817add580fa401efc0f44de863b09affccb6256a62b85d45b3027fda374479

SHA512
901ac473b31b1b2b098582980e527e5b69cf70972b6a8cf66d2a681cf5aabb2abcea3517822f6a64ab78490a49e9e578771c56927c61245650f1828ae57368b6

Download Submit
\Users\Admin\AppData\Roaming\Veif\wayfu.exe

Filesize
170KB

MD5
0a6fcce068c644100f505ee5daeb8f36

SHA1
afa26c870f34a431ccf2047de2f654a07a81d2ca

SHA256
40817add580fa401efc0f44de863b09affccb6256a62b85d45b3027fda374479

SHA512
901ac473b31b1b2b098582980e527e5b69cf70972b6a8cf66d2a681cf5aabb2abcea3517822f6a64ab78490a49e9e578771c56927c61245650f1828ae57368b6

Download Submit
memory/1140-119-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/1140-118-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/1140-116-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/1140-120-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/1140-121-0x00000000000C0DC6-mapping.dmp

Download
memory/1140-126-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/1176-90-0x0000000002030000-0x0000000002040000-memory.dmp

Filesize
64KB

Download
memory/1176-108-0x0000000003C80000-0x0000000003CAF000-memory.dmp

Filesize
188KB

Download
memory/1176-105-0x0000000003C80000-0x0000000003CAF000-memory.dmp

Filesize
188KB

Download
memory/1176-88-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/1176-89-0x000007FEF6331000-0x000007FEF6333000-memory.dmp

Filesize
8KB

Download
memory/1176-106-0x0000000003C80000-0x0000000003CAF000-memory.dmp

Filesize
188KB

Download
memory/1176-96-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/1176-107-0x0000000003C80000-0x0000000003CAF000-memory.dmp

Filesize
188KB

Download
memory/1272-64-0x0000000001BE0000-0x0000000001C0F000-memory.dmp

Filesize
188KB

Download
memory/1272-62-0x0000000001BE0000-0x0000000001C0F000-memory.dmp

Filesize
188KB

Download
memory/1272-65-0x0000000001BE0000-0x0000000001C0F000-memory.dmp

Filesize
188KB

Download
memory/1272-66-0x0000000001BE0000-0x0000000001C0F000-memory.dmp

Filesize
188KB

Download
memory/1272-67-0x0000000001BE0000-0x0000000001C0F000-memory.dmp

Filesize
188KB

Download
memory/1364-70-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/1364-73-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/1364-72-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/1364-71-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/1380-136-0x0000000000210000-0x000000000023F000-memory.dmp

Filesize
188KB

Download
memory/1380-137-0x0000000000210000-0x000000000023F000-memory.dmp

Filesize
188KB

Download
memory/1404-85-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/1404-87-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/1404-84-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/1404-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1404-82-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/1404-83-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/1412-78-0x0000000002A90000-0x0000000002ABF000-memory.dmp

Filesize
188KB

Download
memory/1412-76-0x0000000002A90000-0x0000000002ABF000-memory.dmp

Filesize
188KB

Download
memory/1412-77-0x0000000002A90000-0x0000000002ABF000-memory.dmp

Filesize
188KB

Download
memory/1412-79-0x0000000002A90000-0x0000000002ABF000-memory.dmp

Filesize
188KB

Download
memory/1652-57-0x0000000000000000-mapping.dmp

Download
memory/1816-130-0x0000000001BF0000-0x0000000001C1F000-memory.dmp

Filesize
188KB

Download
memory/1816-131-0x0000000001BF0000-0x0000000001C1F000-memory.dmp

Filesize
188KB

Download
memory/1816-132-0x0000000001BF0000-0x0000000001C1F000-memory.dmp

Filesize
188KB

Download
memory/1816-133-0x0000000001BF0000-0x0000000001C1F000-memory.dmp

Filesize
188KB

Download