130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4

Analysis

max time kernel
84s
max time network
100s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe
Size

2.5MB
MD5

8bb9ed74829e5998537c4c3814e33cb6
SHA1

37971396d9599d31975100c16e8573ce9265b038
SHA256

130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4
SHA512

6c90fd66280b2fbca79589c38c2c87a13defb7cadbe2ddb95af4bd58edbb9698cb3ba9da87a57ebe4ce36eca68cb88846f0a697ce24dbeba043a18f14cf5e107

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 4 IoCs

Processes:

irsetup.exeGifRecord.exeGifRecord.exeGifRecord.exe

pid process

1096 irsetup.exe
1100 GifRecord.exe
2016 GifRecord.exe
972 GifRecord.exe

pid	process
1096	irsetup.exe
1100	GifRecord.exe
2016	GifRecord.exe
972	GifRecord.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx

Loads dropped DLL 24 IoCs

Processes:

130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exeirsetup.exerundll32.exerundll32.exe

pid	process
2028	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe
2028	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe
2028	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe
2028	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe
1096	irsetup.exe
1096	irsetup.exe
1096	irsetup.exe
1096	irsetup.exe
1096	irsetup.exe
1096	irsetup.exe
1096	irsetup.exe
1096	irsetup.exe
1096	irsetup.exe
1096	irsetup.exe
1096	irsetup.exe
1740	rundll32.exe
1740	rundll32.exe
1740	rundll32.exe
1740	rundll32.exe
1536	rundll32.exe
1536	rundll32.exe
1536	rundll32.exe
1536	rundll32.exe
1416

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

GifRecord.exeGifRecord.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GifRecord.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GifRecord.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\GifRecord\Uninst.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\GifRecord\Uninst.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

GifRecord.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\GifRecord.exe = "11000"	GifRecord.exe

Modifies registry class 7 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\ = "GifRecord"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GifRecord\\GifRecord.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\Implemented Categories	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

GifRecord.exe

pid	process
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe
1100	GifRecord.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

irsetup.exerundll32.exe

pid process

1096 irsetup.exe
1096 irsetup.exe
1536 rundll32.exe

pid	process
1096	irsetup.exe
1096	irsetup.exe
1536	rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exeirsetup.exerundll32.exe

description	pid	process	target process
PID 2028 wrote to memory of 1096	2028	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe	irsetup.exe
PID 2028 wrote to memory of 1096	2028	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe	irsetup.exe
PID 2028 wrote to memory of 1096	2028	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe	irsetup.exe
PID 2028 wrote to memory of 1096	2028	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe	irsetup.exe
PID 2028 wrote to memory of 1096	2028	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe	irsetup.exe
PID 2028 wrote to memory of 1096	2028	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe	irsetup.exe
PID 2028 wrote to memory of 1096	2028	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe	irsetup.exe
PID 1096 wrote to memory of 1100	1096	irsetup.exe	GifRecord.exe
PID 1096 wrote to memory of 1100	1096	irsetup.exe	GifRecord.exe
PID 1096 wrote to memory of 1100	1096	irsetup.exe	GifRecord.exe
PID 1096 wrote to memory of 1100	1096	irsetup.exe	GifRecord.exe
PID 1096 wrote to memory of 2016	1096	irsetup.exe	GifRecord.exe
PID 1096 wrote to memory of 2016	1096	irsetup.exe	GifRecord.exe
PID 1096 wrote to memory of 2016	1096	irsetup.exe	GifRecord.exe
PID 1096 wrote to memory of 2016	1096	irsetup.exe	GifRecord.exe
PID 1096 wrote to memory of 1740	1096	irsetup.exe	rundll32.exe
PID 1096 wrote to memory of 1740	1096	irsetup.exe	rundll32.exe
PID 1096 wrote to memory of 1740	1096	irsetup.exe	rundll32.exe
PID 1096 wrote to memory of 1740	1096	irsetup.exe	rundll32.exe
PID 1096 wrote to memory of 1740	1096	irsetup.exe	rundll32.exe
PID 1096 wrote to memory of 1740	1096	irsetup.exe	rundll32.exe
PID 1096 wrote to memory of 1740	1096	irsetup.exe	rundll32.exe
PID 1740 wrote to memory of 1536	1740	rundll32.exe	rundll32.exe
PID 1740 wrote to memory of 1536	1740	rundll32.exe	rundll32.exe
PID 1740 wrote to memory of 1536	1740	rundll32.exe	rundll32.exe
PID 1740 wrote to memory of 1536	1740	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe
"C:\Users\Admin\AppData\Local\Temp\130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1828898 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-1819626980-2277161760-1023733287-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
"C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe" -setup
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
"C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe" -run
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2016

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s GifRecord.dll DllGetClassObjectEx
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s GifRecord.dll DllGetClassObjectEx
4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1536

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
-run
1⤵
- Executes dropped EXE
PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Local\masm71.dat

Filesize
27B

MD5
f24af2c98c3e073d53b89ddf558d5fb5

SHA1
513491084b39bcbb09720ccb069d313b9099b220

SHA256
5e70bab7ad9428369e5fa2f1af6f556120b18f927d8575af907baa04c5cb903b

SHA512
570d4fab34c4166024f206aaaa6e9272ab1ce14ec30517e562c12b4f69a368befbb000df7969275a65e3768652ef63a66050df1e095a6eeb17805041d6201923

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.cfg

Filesize
113B

MD5
fe794baf1f42ddfbee4485742f8ddc51

SHA1
ae6d789a956e7167d19f63ba98feea56901522c3

SHA256
cb311b79f4758ac7fc88916893e5a34cc0c2c5c2741bccbafafc397a889be185

SHA512
970b956ffd33aad7612efca64ed9bcb9da2da9abcc8fbf8a6f6cf5e634287255bdb128a07a6cb03ed342e82046e933bf4ab45544e61188f54efb41530d9ccbbf

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.cfg

Filesize
161B

MD5
2d0e4be4c56373c7659b7fcd0f485884

SHA1
50ebd2edbe131f182a5aeb16b0138ae4b5d675a0

SHA256
0977008e8d5b3d0570f73e7865c5a28bcc6ff6ab809dd2c20354f76430bf965d

SHA512
c96684bec970448001f086f62fa419583047ca2cf62e0123b7f1f9ce4dda131f713e7fc3ec8e68a928f0b7b2d99b08b6e75ffdc1af0c7aa8dfd3e9c22e313077

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll

Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe

Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe

Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe

Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll

Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll

Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll

Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll

Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll

Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll

Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll

Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll

Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll

Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe

Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe

Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe

Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe

Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe

Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe

Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe

Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe

Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\Uninst.exe

Filesize
95KB

MD5
f61dacaf4b90c1488d3e464f1947aafe

SHA1
8e8602362bc75405f715303cd79de603d6d8695b

SHA256
5818b4318ed7457fe09a191410469406d058637c5131a4b15ae4571eeed9f18b

SHA512
9519aefda97e249593eaccf7c4240b0fbae16ddfa37aa68a449ba2661aa5876f3a1af9577c486ca8c440d5aa8c6fdec16d7c459f6014d73a611efbeed4f5d9fc

Download Submit
memory/1096-59-0x0000000000000000-mapping.dmp

Download
memory/1100-72-0x0000000000000000-mapping.dmp

Download
memory/1536-89-0x0000000000000000-mapping.dmp

Download
memory/1740-82-0x0000000000000000-mapping.dmp

Download
memory/2016-79-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download