a461b49dd8cefa224a283ae845596748de54ba51a2126569a9e75b5eba8fac96

Analysis

max time kernel
125s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveX-V2.1.zip
Size

8.5MB
MD5

380d7543923285d007a841846bc38aab
SHA1

823dc009a75a35a71256e33f13e9a37244939444
SHA256

a461b49dd8cefa224a283ae845596748de54ba51a2126569a9e75b5eba8fac96
SHA512

91c1b0a79f135acd8e203128bbf311ef0dd8e86856c1fbf69796b8524c9797070fc17c3e60fc70421c63628d9d6bba800ecf2051b011634564aa92fe98c7f2de
SSDEEP

196608:qxzQfduw6PAw+F25LufmMQ8zWz18wAd+cJC+HMj3ppbfSUILFMkc:W8fdHPvF2NufmQqzGw5ACJ3zuUI5Mx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Wave X.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Wave X.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Wave X.exe

Executes dropped EXE 6 IoCs

pid	Process
1156	Wave X.exe
224	Potential.pif
4944	Wave X.exe
4872	Potential.pif
4220	Wave X.exe
2172	Potential.pif

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
4704	tasklist.exe
3516	tasklist.exe
1312	tasklist.exe
968	tasklist.exe
3716	tasklist.exe
3076	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Potential.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Potential.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Potential.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave X.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1820	timeout.exe
2656	timeout.exe
2460	timeout.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
224	Potential.pif
224	Potential.pif
224	Potential.pif
224	Potential.pif
224	Potential.pif
224	Potential.pif
4872	Potential.pif
4872	Potential.pif
4872	Potential.pif
4872	Potential.pif
4872	Potential.pif
4872	Potential.pif
2172	Potential.pif
2172	Potential.pif
2172	Potential.pif
2172	Potential.pif
2172	Potential.pif
2172	Potential.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3808	7zFM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	4424	7zFM.exe
Token: 35	4424	7zFM.exe
Token: SeRestorePrivilege	3808	7zFM.exe
Token: 35	3808	7zFM.exe
Token: SeSecurityPrivilege	3808	7zFM.exe
Token: SeDebugPrivilege	1312	tasklist.exe
Token: SeDebugPrivilege	968	tasklist.exe
Token: SeDebugPrivilege	3716	tasklist.exe
Token: SeDebugPrivilege	3076	tasklist.exe
Token: SeDebugPrivilege	4704	tasklist.exe
Token: SeDebugPrivilege	3516	tasklist.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
4424	7zFM.exe
3808	7zFM.exe
3808	7zFM.exe
224	Potential.pif
224	Potential.pif
224	Potential.pif
4872	Potential.pif
4872	Potential.pif
4872	Potential.pif
2172	Potential.pif
2172	Potential.pif
2172	Potential.pif

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
224	Potential.pif
224	Potential.pif
224	Potential.pif
4872	Potential.pif
4872	Potential.pif
4872	Potential.pif
2172	Potential.pif
2172	Potential.pif
2172	Potential.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 2272	1156	Wave X.exe	115
PID 1156 wrote to memory of 2272	1156	Wave X.exe	115
PID 1156 wrote to memory of 2272	1156	Wave X.exe	115
PID 2272 wrote to memory of 1312	2272	cmd.exe	118
PID 2272 wrote to memory of 1312	2272	cmd.exe	118
PID 2272 wrote to memory of 1312	2272	cmd.exe	118
PID 2272 wrote to memory of 5052	2272	cmd.exe	119
PID 2272 wrote to memory of 5052	2272	cmd.exe	119
PID 2272 wrote to memory of 5052	2272	cmd.exe	119
PID 2272 wrote to memory of 968	2272	cmd.exe	120
PID 2272 wrote to memory of 968	2272	cmd.exe	120
PID 2272 wrote to memory of 968	2272	cmd.exe	120
PID 2272 wrote to memory of 3904	2272	cmd.exe	121
PID 2272 wrote to memory of 3904	2272	cmd.exe	121
PID 2272 wrote to memory of 3904	2272	cmd.exe	121
PID 2272 wrote to memory of 3064	2272	cmd.exe	122
PID 2272 wrote to memory of 3064	2272	cmd.exe	122
PID 2272 wrote to memory of 3064	2272	cmd.exe	122
PID 2272 wrote to memory of 220	2272	cmd.exe	123
PID 2272 wrote to memory of 220	2272	cmd.exe	123
PID 2272 wrote to memory of 220	2272	cmd.exe	123
PID 2272 wrote to memory of 1808	2272	cmd.exe	124
PID 2272 wrote to memory of 1808	2272	cmd.exe	124
PID 2272 wrote to memory of 1808	2272	cmd.exe	124
PID 2272 wrote to memory of 224	2272	cmd.exe	125
PID 2272 wrote to memory of 224	2272	cmd.exe	125
PID 2272 wrote to memory of 224	2272	cmd.exe	125
PID 2272 wrote to memory of 2656	2272	cmd.exe	126
PID 2272 wrote to memory of 2656	2272	cmd.exe	126
PID 2272 wrote to memory of 2656	2272	cmd.exe	126
PID 4944 wrote to memory of 2112	4944	Wave X.exe	128
PID 4944 wrote to memory of 2112	4944	Wave X.exe	128
PID 4944 wrote to memory of 2112	4944	Wave X.exe	128
PID 2112 wrote to memory of 3716	2112	cmd.exe	130
PID 2112 wrote to memory of 3716	2112	cmd.exe	130
PID 2112 wrote to memory of 3716	2112	cmd.exe	130
PID 2112 wrote to memory of 4704	2112	cmd.exe	131
PID 2112 wrote to memory of 4704	2112	cmd.exe	131
PID 2112 wrote to memory of 4704	2112	cmd.exe	131
PID 2112 wrote to memory of 3076	2112	cmd.exe	133
PID 2112 wrote to memory of 3076	2112	cmd.exe	133
PID 2112 wrote to memory of 3076	2112	cmd.exe	133
PID 2112 wrote to memory of 3032	2112	cmd.exe	134
PID 2112 wrote to memory of 3032	2112	cmd.exe	134
PID 2112 wrote to memory of 3032	2112	cmd.exe	134
PID 2112 wrote to memory of 4652	2112	cmd.exe	135
PID 2112 wrote to memory of 4652	2112	cmd.exe	135
PID 2112 wrote to memory of 4652	2112	cmd.exe	135
PID 2112 wrote to memory of 1664	2112	cmd.exe	136
PID 2112 wrote to memory of 1664	2112	cmd.exe	136
PID 2112 wrote to memory of 1664	2112	cmd.exe	136
PID 2112 wrote to memory of 4872	2112	cmd.exe	137
PID 2112 wrote to memory of 4872	2112	cmd.exe	137
PID 2112 wrote to memory of 4872	2112	cmd.exe	137
PID 2112 wrote to memory of 2460	2112	cmd.exe	138
PID 2112 wrote to memory of 2460	2112	cmd.exe	138
PID 2112 wrote to memory of 2460	2112	cmd.exe	138
PID 4220 wrote to memory of 2872	4220	Wave X.exe	140
PID 4220 wrote to memory of 2872	4220	Wave X.exe	140
PID 4220 wrote to memory of 2872	4220	Wave X.exe	140
PID 2872 wrote to memory of 4704	2872	cmd.exe	142
PID 2872 wrote to memory of 4704	2872	cmd.exe	142
PID 2872 wrote to memory of 4704	2872	cmd.exe	142
PID 2872 wrote to memory of 436	2872	cmd.exe	143

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\WaveX-V2.1.zip
1⤵
PID:2540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:804

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Wave.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4424

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Wave.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3808

C:\Users\Admin\Desktop\Wave\Wave X.exe
"C:\Users\Admin\Desktop\Wave\Wave X.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy Corruption Corruption.cmd & Corruption.cmd & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5052
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 542297
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "seefilteramongstlaura" Armed
    3⤵
    - System Location Discovery: System Language Discovery
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Itself + Preferences + Red + Col + Cl + Sells + Classroom + Ra + Lows 542297\o
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\542297\Potential.pif
    542297\Potential.pif 542297\o
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:224
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2656

C:\Users\Admin\Desktop\Wave\Wave X.exe
"C:\Users\Admin\Desktop\Wave\Wave X.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy Corruption Corruption.cmd & Corruption.cmd & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4704
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 542297
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Itself + Preferences + Red + Col + Cl + Sells + Classroom + Ra + Lows 542297\o
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
- - C:\Users\Admin\AppData\Local\Temp\542297\Potential.pif
    542297\Potential.pif 542297\o
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4872
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2460

C:\Users\Admin\Desktop\Wave\Wave X.exe
"C:\Users\Admin\Desktop\Wave\Wave X.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy Corruption Corruption.cmd & Corruption.cmd & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:436
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 542297
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Itself + Preferences + Red + Col + Cl + Sells + Classroom + Ra + Lows 542297\o
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
- - C:\Users\Admin\AppData\Local\Temp\542297\Potential.pif
    542297\Potential.pif 542297\o
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2172
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\542297\Potential.pif

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Local\Temp\542297\o

Filesize
627KB

MD5
aaba38c4dc831173c4eb12858324d915

SHA1
eff63b39dbedcd4e72a793d13bf9d1808e1e6f46

SHA256
8efd7e1ca2284194fd5058b1de48dd44ad5e7df810f047b0e28991401fdb4818

SHA512
3209878a3d508718acb4c53fe1f4e5dcd12a8630d134d0f4763308bcf04c390009d725df80c1802df8dda3769b0ef2a6e05da3406ae45fca37defa9d9ef2aae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Applied

Filesize
29KB

MD5
aec177a779f8cc333739d4df09af2773

SHA1
cf17c1ac47c21fa19e4f9d0ad4e9ba845a00e2c2

SHA256
fd24c2b009e3dc77a85bb7cb20da02bc962858206d6e321275349c71142e0ad3

SHA512
f0bdf34819c29612b6bbb975fb794a91cae45fa029d5d3ca26ffa6b12b307ecd1d74f21a59b21f0812cec05cc7baddcb004c81fa0e209e7412a49ddaeb276734

Download Submit
C:\Users\Admin\AppData\Local\Temp\Armed

Filesize
164B

MD5
1efffd031fb054338bf4bd2fe96c4df2

SHA1
4d1af619c855f3bc783ae15245249e3f5ef5b9ed

SHA256
b8bb8a7f22541845748b91f3ea3dfafc970cfc3b33e4d570171a0633965bcbd7

SHA512
4dad6ec6462044bf925def04bec3b4477f4c192e82d639ed9d144647f9da8bc6197a71c1d5370495aaa3ab5fd518d255f100da16d1f99c0df7dbe8ff2b248777

Download Submit
C:\Users\Admin\AppData\Local\Temp\Batch

Filesize
65KB

MD5
f787d3bf323cb351877341d18d22b98d

SHA1
5131d180c65870e702bafdbcdc9a804f6f9bf73f

SHA256
1097e3796926233eba93074211e8b40b596eb5d34160a24131518608a217ddd7

SHA512
5626709cc25304082841b794f1c870dd4d0550443b86918a407a1a274f9f3d9e31d9cfebf349c982545aa8daa38547d3735a474a43486f69576f2a7407331da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Carol

Filesize
31KB

MD5
52089e08a23f23d9ee2e37ed3a32efad

SHA1
d263dfeb70e1b48a050e517285bab9eca5bf1982

SHA256
b24f2f1ed6dd1b738d095ed1c84231152515c577fb5f4b1f6a99449e29e4f39c

SHA512
b6efe8a672ea2f833a2d67e254e5ecdf982fd2ef56cc95dfc12001eeff98e6c261af58a78204a205c18d078adf59de47ba6991fd4579d7dddc3d4d425e4e68ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cigarettes

Filesize
51KB

MD5
55b43f8823bc8844a9eff7f8e7e0e72a

SHA1
b5b20a96e9c933092c0abe9c11b74b07df57e6f4

SHA256
02e87c6b187c547036769301772d27a09d26130732079986c0384093a5bb33be

SHA512
b687779bc56260578c870c63fd5249c8f640599771b11fede476a68a8dadf5488df758a0c181274e73f31ee8304a5bcb9cf128d53fe2e9f7d3627c11f902c6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cl

Filesize
70KB

MD5
c848ad21d6a2aabe8abbe0ee1515b6e4

SHA1
1edf60b3ed046e86fec6e8f8b91a3989e9085061

SHA256
549ba9f9099788880ca933299d54e7e66910716e3cd1758471f9b0682bb8179e

SHA512
13294f28169c9131e9f3a28d5ebf766f3eee9b0bd1619236f2779cefabf43941eb64c3381b357d1a5ffb2a4c43c3e17bbf6209b9aab18ec66cf10d893f28c023

Download Submit
C:\Users\Admin\AppData\Local\Temp\Classroom

Filesize
62KB

MD5
26fd82ff151dd5412b42668c569fb2ee

SHA1
8d334b785d2d0830215200bfe2aeb3b52d577bf4

SHA256
389c1711db22496f7c85602c48fe506d563876e7e4769c03e3658668914ee926

SHA512
db3de1758908b3f6921a1470ceeb9011faecb021dfc5ba9bb0358606cb268b96bb130fee99220f3457490dd433b9c516bcf3cc7315fe5a51733df3be22f2bf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Col

Filesize
89KB

MD5
0a235bcb24c7b66fe19dd737524c5941

SHA1
8c66d080abbab2a6b2d829ca6c3e4ddaaa024554

SHA256
64fa696c8d0c3069fe3b72096702a65830cf4fe4f63241aeac8de94d1e72d69c

SHA512
8eb048b4d5823b673c9b82afac6b65670c491fb30a91b5ceb9c5a128e8c28a19c7104062e9c17564613e39444062f55731bac1f51b0803810c7ad338ad7dcb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Combination

Filesize
7KB

MD5
e5f9443e731b8f77b8cefc3ccbd3ce8f

SHA1
d7f0c26607b00ab634c93952e45e6d1f8a42cbde

SHA256
4e1da94a3520ce4f99298424bdff2686441136d7e9f76122fadf0f944709fcc0

SHA512
4c5081912f6fb3a4274709f92c78bdceff7f02930b1246e866f11b9c82aea7012ae5100fb3db70203a1d807574f2b91b94d72deba2b80c5f71b2bc6dfc1a14ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Corruption

Filesize
7KB

MD5
43daa4914587d5bfcda9acf76e1a20b0

SHA1
38d21165640992b265932bc426a533020a62a06d

SHA256
efb4223fc8ef92681a14f689312787f99ad2b1d9ee1b065b911fcccf5bcea7b9

SHA512
3aaae36319394215c868221ca441ecd1605addfc3af33c59db9da34fa6123b424a3436e09f1750e2b2ac89455552f44c58e9910b3761b098d9775469cdb61406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Def

Filesize
60KB

MD5
ef7e7724ae1943eeca8fb60a2785dba7

SHA1
e94c58fc594a89ed22f9a89e6b969ccdecbf258e

SHA256
9cb24740e1c6a6b5a05bcf68c994b2c8d13df275ad3265fee36adf1ae71e1886

SHA512
e3d4836959e7bb819529f4624c9537ba5750deb56527aa0a56306f4163941ec4bcba965e5fcc5993036d8365c727869e114f31a6d9ee0bc8b5fd3a9911da3593

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dicks

Filesize
46KB

MD5
e9c563a3953ba9a23f5cf55fcda8e57d

SHA1
7c2f5d3a13ddcf46f73320e1df964aa717cbe26b

SHA256
5e18b5c298c0742c3a966bd9159e8a3c4c80cccd69db076a8716a21f9e836533

SHA512
e1fede97ba379952f3a92556707470515dee7667b88fea1841dc783af6317ab39c926ba2532bb1b89046062d663bd718bb694f47b5a8278104964d5425bdd977

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drainage

Filesize
45KB

MD5
83fcc54b99f83e7e9e61f0af7fa5b516

SHA1
52a2b6187662e449143bdc96b7d132f9132d1a3d

SHA256
db8ade57b501ca0d613caa9b64c48c8d2a3bb5cb4ba3c8bad7d25a10292127df

SHA512
499dec4dd69c87e92c460cf53c33d71f299a9e62252de4114040248f5bc028415caf24e852ab7a8a888688810629c50b7379a79400a607cdcdd365254c191c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\East

Filesize
64KB

MD5
96c0b80701eff5116f0bfec563dabffe

SHA1
1178c8faad7998baf1906f3ae84128e055941142

SHA256
a969e54bf5762a4898ec701884bfa47df8edd9d8df6488b801553ad6c0022de8

SHA512
6ea8bffa57a7dcb756efa4ca964eb6c6b68952d9f3f5395ed61240170ce127b98970fdde4928bfbcc6c245ae4a68c6ce62a58b627912d1bcead56089ec771f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Express

Filesize
51KB

MD5
e7a18905c46cb016348e843c9cfd40ed

SHA1
522d1bccfc8c058841c09f36ff69427bab86e3ea

SHA256
e6718a10512d9bfb06c5f7c57a7104f128051d5ca939273e86fd5ef5f7270af5

SHA512
6be337d485745162a35fecd4bca56f240fb5f8c1be14351eedb2934dc72a1c45e5777963c4c032d7ee97f01108d6df6b0b3e57791ad0e6825dcf705053990d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Facing

Filesize
30KB

MD5
58f241a5ae3d35cae76855631a9e68ac

SHA1
ebb2df44b112a503a440b6f8bafacbd3e0c81925

SHA256
4f518d6bff3123fae20c39a89b3f7ee9ced5db2b025d23a7b27cb218a94319eb

SHA512
5408a5f9b1756fb48f5176b2786491f98e49c8fd02e0e41d44f6adce7013df253586e5c22c7e24554ba512e64a9e1e2c9e9a9e868056ce8260acf74d2e48bc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Handheld

Filesize
62KB

MD5
e3e97315ecdbd360e028d57eb5006fbc

SHA1
2629b1d9b1927c9dbd74ab13bdb081674f76deb2

SHA256
4a539895221449529b554d00338e6eebee8dae9bb0faa0d0c29a71e443d0d3de

SHA512
57c93a3955d2bc00aa38a81532386de81bca1a9b9f6818ff2d1fb216b30c620e88f755bb3a04ac2f11330bc2cccf15d980462bf69d0ec7bd41ad49d6359e0296

Download Submit
C:\Users\Admin\AppData\Local\Temp\Highland

Filesize
61KB

MD5
50a8d0c2f1028948a5925fbfc8ce6792

SHA1
a3a9e8b7ee5396c419f91d9f80203ca9d3d059d7

SHA256
f64b92cf3f5add9eb78276aa689da78e790865296671b4d23cd0b23122f254d3

SHA512
6438fd9e889aae44bf6c703bcd69c3b6e91951a2afe4e3a724d09e14891379374640ad41cedaf6d305b291ed88f36deba3c6f4c6da18d8e6599df5a71c093a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Housing

Filesize
25KB

MD5
6144b0f237ddcf3cc8bf8c049f8cef73

SHA1
c11ee88d61a524ee25536d7dd277af3fbdbe3d61

SHA256
32ada69f9ab7d25b1208aff7c5e8fa9d933c1bfa1e0f7c3876eeebbb9cf53e65

SHA512
9ced095a6f2358766a54a4eca08ba1aaadd7382e94c2d314a3014e2cfef8e5acf76c197e6a431cea7564317d98539f799602bccb31976405d7a44ff9b1d2a563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Impact

Filesize
7KB

MD5
52a6fa299315024962a9fab887039035

SHA1
1e4d3abcee12ab2efff7f342c4a913a686fb9bee

SHA256
c4d6d6aa4488ffc9da9e14f9f11d4038d737d79a4b80991fbe40ec0d7140afa6

SHA512
e661fbe15a5d49ae4a09e8ba9fd2a4861e51e0f0a4d96cd2212035543dfb43cfc0ae7262ae45a2c8439755ae456ff48f51e933eb47e8037430dfbc0450247915

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ind

Filesize
15KB

MD5
b2de1f1197319c2b4df4c843f1833274

SHA1
b7bb4fb714308aa80d64a885cac53f91120a7bce

SHA256
fde38184744bb2c12ec47b9ffd1746c2744992c966ed3f2045c89e3439ada321

SHA512
ae626d02c0d9152246b93657c7c9774d73fde7aae3011aa1ec4eb21b118e1d86728d20016b7c071e35daffeecb9a2b162c4e65a7715a053657db172413ca3cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Itself

Filesize
75KB

MD5
9ce791fc4d11903b218c7c97754f6943

SHA1
41acd543256f006b2ae4d869ba582fa4fd1e3dd8

SHA256
fdf7cd479bab7fc96b2f88532279b925c0da82554e2b1de9fe9a1a386e5b0379

SHA512
a5b0d9cd01d072c7eb382af90a1fbfbd0661f3ebdafcb72b9cd055d23463ea47fdc540b0e9f5095cadc97c163c8dc9ef0dc4973e5fbce6604ab9982714be08c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Las

Filesize
19KB

MD5
b4503288090a1a476525e479399ba3b6

SHA1
5430ecba08da956e0074381e80043c1985350cd9

SHA256
ade84b79761ab992d4596a9a57269e04b6e086ccc6ec062a96db70652ba0c5a6

SHA512
87f6b30f73ab5832ebd77ff5c0690e4b2b10a4699d05984b6e41874704a552d683735b218a9e2c77d4d019e2795918359c1480898fcbd23815983dcef1d88f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lows

Filesize
7KB

MD5
d72f2ef398b8d1725c9afb8ac7c3d466

SHA1
796a5ff932f83dee470a3c45dfc7c079514674a1

SHA256
336567e82a12ecb7c1c6387839fd38701d08a3beb4150b09b08b1ed9d70accf9

SHA512
a19bd9c2f35c48d2d30d5f1ad2f187b3d6702de3f16bea2c43f1dbebdc601f95366aaefb86096aa7800b31fdee816ebca784a56078318fbd5f5322c5626876ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Motherboard

Filesize
31KB

MD5
1dc1a7cf0c0ebbecf98207d307629116

SHA1
ab6c5a86bd308ee881513f5c46485200e0467bab

SHA256
a539751e8609bafb92c0dfa93eb33c520eee2da0886aa702db107c33096515b0

SHA512
30517529494d85450a69555639db658dc2ca966ae0e3d5bef00fe547b707a9cacd50e2f4b941e1a3bba574394ab0cf6929057f447cfc38c8809229522a363c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pipeline

Filesize
67KB

MD5
d6a821726a79203e7bde03b1c9ba0652

SHA1
b92df758b0401d2426df9293c6ddeaca35ed440f

SHA256
44657e9dc0dd5c868e8f474e4dde9643e5389bc4789e623c2308004e2f4ed79b

SHA512
d4113c56fd135930fbc6162db18af53f24d7d7f1adce8abc9f64f04c340cd5994cb427cf8eb5e62ce935373e68e6aadc8fa0e3bbeeba00a166792a121fac68c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Preferences

Filesize
83KB

MD5
fd93100e03823749152e5766873c6db3

SHA1
46c6fe6c6bb3f5ab11b6f28e9b189d31a950694f

SHA256
3073b7145e9ab310457622b651d736cc3d80625433a3a213a81ed63172ea9545

SHA512
3b44c5bb63821832d95c951d7d2d818f2c50020b932da9c1d0fa17e951be686b2fb069e1056048fff4af8325bc0ee3eefd74e97b478062f3b0c7623b4afe6027

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pst

Filesize
38KB

MD5
eb7908ee498149f1e79b9e9832a1b3fb

SHA1
04b561cab74ee1b49c3716410d9ef42c9873c80f

SHA256
e533abdcdea5ab43d1b3ce66090d7a1005ea95b20866e812df388776e0975df1

SHA512
21f6b9f917d9aeecf1d01c03198012fa7e0e31706ff40c0f04090889420c3eb4b5817fbdb2fdd70547222857dc2f2ec8b61744b67893ffaf01568f8179c9225a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Puts

Filesize
43KB

MD5
a5085125b2786ba9cb4c19b379498f7a

SHA1
f7534c7899e6fd8fefdf38eb125cd94a82ea8b72

SHA256
f7019ccf4e6cf87461d3fb349e6e81c887edef5020081dd0731de37a3f0ff637

SHA512
e5bdd28add2263d6f9feae74e00b944940adc2960ac65040963707d87daa1ceeb6b83c1ea80bfda3150fd30a1323e77bcea989fc8531b2c84b42103e712ff823

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ra

Filesize
52KB

MD5
6bbc87e3efc22158391acd10909c4efb

SHA1
2483f328f953c519d38ba7cbcd12c3b49e44508e

SHA256
f732103a80c2c3c5d3c8aa86dcf4790a1e2b27c22d2af639e08193cd58f1ad71

SHA512
7196904ccb0ea37f206f05eb0c87e570a9b544a03f53adb3217432be77edf66c165641c9acb8f5d0ced0430050b267d4297252f6133b620b9f922f7f595a0cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Red

Filesize
136KB

MD5
d46d5c5d322f873cd675a158ff73be45

SHA1
4181848befc518a6f1cfb8d21e5e7d956b3f5f43

SHA256
6917afa5ec87fe2bb7d635121fe9d4a640da5a85ab53bdc49464e441b12d7ea8

SHA512
7e62cc97c315a399c9a6e362345ffaf3b12bed17ef27316a51b4ca8d95876d450812170a58d351b7f7285c62910f8cafb3dac1a885ee69449a64a0dbe90970df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sells

Filesize
53KB

MD5
ed7f80c6057d372ba77cba8398ff6912

SHA1
0a1c52f60d94b7ed3c525090c11cf4f1a6ccd348

SHA256
ebe88e27ef3a966e15188e11cafbeb6a5e5b3caad5725687e69166c3b3cd9e55

SHA512
3c43f14d3876eb34b71b1c1d72e741c4c9b8745b49649705b9776d2791a945667aa2acb2f258edeff6f66abb3d6f0cd508f178ef5889147fdc99ab7c78016151

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seniors

Filesize
23KB

MD5
95ec1ac18ec725f4ccde24c1ff3616d3

SHA1
efd2b1f9f2c3dcf58716a70b0bd3ac161e4ff8ee

SHA256
aa945e4c411f0c91383ac42119eee1e14ce5ec8c2c8356616421091652145a47

SHA512
11388f3eacbfc07d6348487c836a31c9f2b4d50412047ab0cf23681ca04e1a8df0a7326969b6783457a58caf6cfa6439e787bc25636761e98d544ce73aef1af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tb

Filesize
14KB

MD5
4c13b28668dd8a68cbe6c6ccbdfe920c

SHA1
cbea52003eb6bc8f99c744ccb2aec6fe14038401

SHA256
e85d48b8c791064eab90d4bcd8732ff0e1f5adf96e7372ca75770049093c39f5

SHA512
f6f730d6788485df64823a333b75c77d61019676b6393592f9c2c54fa1972aa9b30b6d399a5da547f6b1b755a421f09a1f430b4fb91d384d65f82648695c9c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Workflow

Filesize
31KB

MD5
f736112e02c5be9220fbbde085d8c584

SHA1
2edea83c1be6082d6e5f9d41aa1f118fed15c377

SHA256
2231bc5ddfaa0b0bd69058ca6619c6fd148174ac699a5976df0d4c38fe66cb4f

SHA512
23b799c1a396ed4b9ae0133ecc368653b2a4dc66774a451fa8bffa1344588070b8546b870279ea6fc23c7c1b8d378121991ca1f42a1f2a9f6ffdeac59aaf90c9

Download Submit