2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf

Analysis

max time kernel
162s
max time network
189s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe
Size

2.5MB
MD5

c67979c54ed1193e84fc034171a605a4
SHA1

ba9b16191d2b27457b1e4e6c5f4280a729b6e4b9
SHA256

2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf
SHA512

977d4df49119c73e2e99090e7ce29039ee4ab8e7875ed1245da3cbe6ab0f022f7c7809285228a6e9d7e702cf7a75c70c620167f86689c3fc3b78fc8976409b0f

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 4 IoCs

Processes:

irsetup.exeGifRecord.exeGifRecord.exeGifRecord.exe

pid process

1528 irsetup.exe
2044 GifRecord.exe
1064 GifRecord.exe
912 GifRecord.exe

pid	process
1528	irsetup.exe
2044	GifRecord.exe
1064	GifRecord.exe
912	GifRecord.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx

Loads dropped DLL 25 IoCs

Processes:

2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exeirsetup.exerundll32.exerundll32.exe

pid	process
916	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe
916	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe
916	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe
916	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe
1528	irsetup.exe
1528	irsetup.exe
1528	irsetup.exe
1528	irsetup.exe
1528	irsetup.exe
1528	irsetup.exe
1528	irsetup.exe
1528	irsetup.exe
1528	irsetup.exe
1528	irsetup.exe
1528	irsetup.exe
1824	rundll32.exe
1824	rundll32.exe
1824	rundll32.exe
1824	rundll32.exe
1508	rundll32.exe
1508	rundll32.exe
1508	rundll32.exe
1508	rundll32.exe
1312
1312

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

GifRecord.exeGifRecord.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GifRecord.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GifRecord.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\GifRecord\Uninst.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\GifRecord\Uninst.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

GifRecord.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\GifRecord.exe = "11000"	GifRecord.exe

Modifies registry class 7 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\ = "GifRecord"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GifRecord\\GifRecord.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\Implemented Categories	rundll32.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

GifRecord.exe

pid	process
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe
1064	GifRecord.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

irsetup.exerundll32.exe

pid process

1528 irsetup.exe
1528 irsetup.exe
1508 rundll32.exe

pid	process
1528	irsetup.exe
1528	irsetup.exe
1508	rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exeirsetup.exerundll32.exe

description	pid	process	target process
PID 916 wrote to memory of 1528	916	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe	irsetup.exe
PID 916 wrote to memory of 1528	916	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe	irsetup.exe
PID 916 wrote to memory of 1528	916	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe	irsetup.exe
PID 916 wrote to memory of 1528	916	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe	irsetup.exe
PID 916 wrote to memory of 1528	916	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe	irsetup.exe
PID 916 wrote to memory of 1528	916	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe	irsetup.exe
PID 916 wrote to memory of 1528	916	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe	irsetup.exe
PID 1528 wrote to memory of 2044	1528	irsetup.exe	GifRecord.exe
PID 1528 wrote to memory of 2044	1528	irsetup.exe	GifRecord.exe
PID 1528 wrote to memory of 2044	1528	irsetup.exe	GifRecord.exe
PID 1528 wrote to memory of 2044	1528	irsetup.exe	GifRecord.exe
PID 1528 wrote to memory of 1064	1528	irsetup.exe	GifRecord.exe
PID 1528 wrote to memory of 1064	1528	irsetup.exe	GifRecord.exe
PID 1528 wrote to memory of 1064	1528	irsetup.exe	GifRecord.exe
PID 1528 wrote to memory of 1064	1528	irsetup.exe	GifRecord.exe
PID 1528 wrote to memory of 1824	1528	irsetup.exe	rundll32.exe
PID 1528 wrote to memory of 1824	1528	irsetup.exe	rundll32.exe
PID 1528 wrote to memory of 1824	1528	irsetup.exe	rundll32.exe
PID 1528 wrote to memory of 1824	1528	irsetup.exe	rundll32.exe
PID 1528 wrote to memory of 1824	1528	irsetup.exe	rundll32.exe
PID 1528 wrote to memory of 1824	1528	irsetup.exe	rundll32.exe
PID 1528 wrote to memory of 1824	1528	irsetup.exe	rundll32.exe
PID 1824 wrote to memory of 1508	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1508	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1508	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1508	1824	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe
"C:\Users\Admin\AppData\Local\Temp\2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1828898 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-1083475884-596052423-1669053738-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
"C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe" -setup
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:2044

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
"C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe" -run
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s GifRecord.dll DllGetClassObjectEx
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s GifRecord.dll DllGetClassObjectEx
4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
-run
1⤵
- Executes dropped EXE
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.cfg
Filesize
113B

MD5
fe794baf1f42ddfbee4485742f8ddc51

SHA1
ae6d789a956e7167d19f63ba98feea56901522c3

SHA256
cb311b79f4758ac7fc88916893e5a34cc0c2c5c2741bccbafafc397a889be185

SHA512
970b956ffd33aad7612efca64ed9bcb9da2da9abcc8fbf8a6f6cf5e634287255bdb128a07a6cb03ed342e82046e933bf4ab45544e61188f54efb41530d9ccbbf

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.cfg
Filesize
190B

MD5
83a2c52b64ba162645dee27b2ba7586a

SHA1
da4046377fee64ef39b1f824f1241bc1618e1cdb

SHA256
bd5099cfda50b2c6fb951f94366a5f4e729bd93d44bc4e119df5144c9879ee21

SHA512
2ac24859d5223b24698719d73350f6642482e8915feb710251f6bacaee0bf71876e1af5b5268048c1157b7be35dde1b7d2386a62015a83ae3736172b1aba5602

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
\Users\Admin\AppData\Roaming\GifRecord\Uninst.exe
Filesize
95KB

MD5
83c340510a98075830e6a5cb652c39f6

SHA1
80535bd1516cc6dc08a500d6512c7fe16ef8079a

SHA256
160a78b38785b94f2aeaa7f6ead94ba750381a9e50447dd786d4cf1b4ae7e3b0

SHA512
fb900c709ad4663c622c4f92d216104f51470b61cb37e1ad02bba1d858786cd8533e7d1c6116d7dff78ea711ee87d0282d52640142d47e5e9772f29165f1faab

Download Submit
memory/916-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1064-79-0x0000000000000000-mapping.dmp

Download
memory/1508-89-0x0000000000000000-mapping.dmp

Download
memory/1528-59-0x0000000000000000-mapping.dmp

Download
memory/1824-82-0x0000000000000000-mapping.dmp

Download
memory/2044-72-0x0000000000000000-mapping.dmp

Download