hxxps://napkforpc[.]com/download/apk/com[.]miniplay[.]gunspin/

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://napkforpc.com/download/apk/com.miniplay.gunspin/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 2c9ba0669e45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "40895239"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31023084"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com\ = "58"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "26"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com\ = "16372"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "16498"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com\Total = "16498"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2CB832BE-CBDF-11ED-ABF7-DA4DA442263B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com\ = "16498"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a9700000000020000000000106600000001000020000000a75cc1834b4812f2bebafdb42b9b5e43b0f25fc4dbe67ff60a3b6229b4d787b7000000000e8000000002000020000000f49b35dd65f688601286fd6327debbf9d5df258432a54477e22a380ca90c74f020000000241883477eeb1dd48b4df570f13c050f4e36fc9406658dd2ac4d6da7883eee1c400000008c539b8a1e9fdd909ff8a9154612f11f54b404224f70169df96db9165aa5bb100723bd6e33cc9e60632eeb4a5ef0f1d2d09b361da72dc006b73f9efbff24b022	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com\ = "26"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "58"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DOMStorage\napkforpc.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com\Total = "26"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{5E21BF59-575B-45FB-98FF-39ABDF320E16}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com\Total = "16411"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386604467"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com\ = "16411"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31023084"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a45b06ec5fd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "16411"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00807f06ec5fd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com\Total = "58"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com\Total = "16372"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "40895239"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\napkforpc.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "16372"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\򒊠ƣ\ = "xapk_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\蟲診฀耀⬐㚬ƣ\ = "xapk_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\xapk_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.xapk	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\򒊠ƣ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\xapk_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\xapk_auto_file\shell\open\CommandId = "IE.File"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\蟲診฀耀⬐㚬ƣ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.xapk\ = "xapk_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ƣ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ƣ\ = "xapk_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\蟰証ༀ蠀⪰곒翽	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\蟰証ༀ蠀⪰곒翽\ = "xapk_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\xapk_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\\ = "xapk_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\xapk_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\xapk_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\xapk_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
760	iexplore.exe
760	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2932	OpenWith.exe
3592	OpenWith.exe
2856	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	firefox.exe
Token: SeDebugPrivilege	1348	firefox.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
760	iexplore.exe
760	iexplore.exe
760	iexplore.exe
760	iexplore.exe
760	iexplore.exe
760	iexplore.exe
760	iexplore.exe
760	iexplore.exe
1348	firefox.exe
1348	firefox.exe
1348	firefox.exe
1348	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1348	firefox.exe
1348	firefox.exe
1348	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
760	iexplore.exe
760	iexplore.exe
4720	IEXPLORE.EXE
4720	IEXPLORE.EXE
4244	IEXPLORE.EXE
4244	IEXPLORE.EXE
4244	IEXPLORE.EXE
4244	IEXPLORE.EXE
4720	IEXPLORE.EXE
4720	IEXPLORE.EXE
2932	OpenWith.exe
4720	IEXPLORE.EXE
4720	IEXPLORE.EXE
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
2932	OpenWith.exe
3192	IEXPLORE.EXE
3192	IEXPLORE.EXE
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 4720	760	iexplore.exe	86
PID 760 wrote to memory of 4720	760	iexplore.exe	86
PID 760 wrote to memory of 4720	760	iexplore.exe	86
PID 760 wrote to memory of 4244	760	iexplore.exe	93
PID 760 wrote to memory of 4244	760	iexplore.exe	93
PID 760 wrote to memory of 4244	760	iexplore.exe	93
PID 760 wrote to memory of 3192	760	iexplore.exe	98
PID 760 wrote to memory of 3192	760	iexplore.exe	98
PID 760 wrote to memory of 3192	760	iexplore.exe	98
PID 3592 wrote to memory of 4832	3592	OpenWith.exe	100
PID 3592 wrote to memory of 4832	3592	OpenWith.exe	100
PID 3592 wrote to memory of 4832	3592	OpenWith.exe	100
PID 4832 wrote to memory of 3748	4832	AcroRd32.exe	102
PID 4832 wrote to memory of 3748	4832	AcroRd32.exe	102
PID 4832 wrote to memory of 3748	4832	AcroRd32.exe	102
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 1080	3748	RdrCEF.exe	103
PID 3748 wrote to memory of 768	3748	RdrCEF.exe	104
PID 3748 wrote to memory of 768	3748	RdrCEF.exe	104
PID 3748 wrote to memory of 768	3748	RdrCEF.exe	104
PID 3748 wrote to memory of 768	3748	RdrCEF.exe	104
PID 3748 wrote to memory of 768	3748	RdrCEF.exe	104
PID 3748 wrote to memory of 768	3748	RdrCEF.exe	104
PID 3748 wrote to memory of 768	3748	RdrCEF.exe	104
PID 3748 wrote to memory of 768	3748	RdrCEF.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://napkforpc.com/download/apk/com.miniplay.gunspin/
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4720
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:17412 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4244
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:17418 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3192
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:82972 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:2296
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:17430 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:4316
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:82984 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:2704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\com.miniplay.gunspin.Napkforpc.com.xapk"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C9F70D33B118EDEBABB16B515867F33F --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1080
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=14217D3F95071D1C2ACA593D2F00732A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=14217D3F95071D1C2ACA593D2F00732A --renderer-client-id=2 --mojo-platform-channel-handle=1800 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:768
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=09B4771899D87220EC7AD67F093D2FC1 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4232
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2773C873401F752A8CB7F2EC352C8DC4 --mojo-platform-channel-handle=1796 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:4320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:3304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2856
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\com.miniplay.gunspin.Napkforpc.com (1) (1).xapk"
  2⤵
  PID:5068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\com.miniplay.gunspin.Napkforpc.com (1) (1).xapk"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1348
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1348.0.2030926863\1921098281" -parentBuildID 20221007134813 -prefsHandle 1832 -prefMapHandle 1824 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {226fb4f8-69c3-42fd-ac9f-64bbe8bc1aaa} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" 1920 1a5aaaa9f58 gpu
      4⤵
      PID:916
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1348.1.1074441742\76669462" -parentBuildID 20221007134813 -prefsHandle 2312 -prefMapHandle 2308 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f97a742-b08f-4587-8a17-83d3dae9bd9c} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" 2324 1a59ca72358 socket
      4⤵
      PID:3500
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1348.2.50527036\1339329596" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3080 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd8b21a-61e1-4ca1-a737-91de72c141e3} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" 3020 1a5ad714258 tab
      4⤵
      PID:3640
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1348.3.1423427383\811220186" -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 3900 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bed2da01-5558-4fb6-90a3-a5fede1d203a} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" 3916 1a5ae6aa858 tab
      4⤵
      PID:4680
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1348.4.886688423\129461295" -childID 3 -isForBrowser -prefsHandle 5068 -prefMapHandle 5064 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dfc1824-d540-4b69-8d23-ba570a962bce} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" 5060 1a5af1e8958 tab
      4⤵
      PID:3848
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1348.6.674592588\1903062678" -childID 5 -isForBrowser -prefsHandle 5320 -prefMapHandle 5324 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20f2d17c-6f1d-434b-b77d-ecd28e29cc67} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" 5304 1a5b0328e58 tab
      4⤵
      PID:1568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1348.5.1593604624\1082417089" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 5124 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6807aac-4e40-4c86-99bd-96532b26f8a5} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" 4900 1a5b0325858 tab
      4⤵
      PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
a1b2b5d00d6aac437cdff084f3a0a8d9

SHA1
49c485a223720af698cfab1e9c8d5547744ede6d

SHA256
9bcfc6ac51042ff30fd11d30dc11ed3d37c29f86306aa9c31da69ddc49351396

SHA512
805dcad02664c573238ca8f66c5ea7d712c26ab3a986458935f755cd0351f55fe738a247a113083c6acb7eea009c53787a190f90462d13668700c989a35b1e25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5654EC63294C39DE7CC060CB799182CF

Filesize
471B

MD5
6bf50de33fa4848356df525bdb17a561

SHA1
27b65ad48ed6b14b616579a54fb53f1ddd69e399

SHA256
3f8b5445c77d3191ac7d9729fa0898620185af043f8e353d9db1349a6bea49f9

SHA512
4a9601dabc64d4180131c3daf46a7d0079d79902a26ae438c3e885e4ca1fea602979deea49a867e2db2295389f3d726f9c6ce7ff8ad5ace3ccd9b1a0fad7061f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
c18c1ab84b27ba6cf9cd2e5ca8a96d62

SHA1
df6dc9e0b61be770d13df05ac149ed07c5f9210c

SHA256
c3535d9b617c8060aa4a80b708e2d017c1b344258b5f18d1b6889060c894ff2a

SHA512
cb84a250d7c37c1def8d34976326f4d90b4e5fc0dbefddec5958af85e67a07e77ca0bebe8bd8c3ab784b138eb2ee05004ebba20156e5e02186bd1dd1d92850e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
3864dead29628a3e03e0cbf0b08bade8

SHA1
697e5f61ae2964b8cd4261ed7038572fb79fdcab

SHA256
f0e8b0e6e2d7f533a4f2a3d6e266ea4dbe9de52e8ca5dd3f931030eb81d12eae

SHA512
241aeee370c432d7d444a42ada14fc46c194d81a624fc6f1af5399d429b65474ede92d4ac62f61d1f4578476181ace0c2cb8f9fd08f660683a3e01eecae59615

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5654EC63294C39DE7CC060CB799182CF

Filesize
406B

MD5
a566792555efd6317fa6f43d19e33ddf

SHA1
2ee8ba87ffac9ccb048052261cab5f9f5bc9abfb

SHA256
0d6ddf343d750e98423bb755c7f92d7e870b2caa1473874e2508ac896c58ad44

SHA512
98b7774511af7557a21cdaf2688f410abfb1d9eb789199b5f7afeac8d9beab5224250a3fd64f6bae4e6aa7e16d1dd715f12059694916d4d0e0b703b4333a652b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
9bf10050197169e64101db460d3c6a29

SHA1
a82b0bc7b9e766607619e3416878776f019732e8

SHA256
bad5eeb0c48026ab75f25becc2a1f95117179d7ed791cbc71bd5383801fb1792

SHA512
dc5257d394d84fd893f6d325ead0f46b73012c18e65bc25ea95439b80f4b2401e3089a8e88036a6bb862d2a281e8b3f9c9c401bfa4f3873a812ac1757cb19e34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\DHBU8QJF\napkforpc[1].xml

Filesize
22KB

MD5
442c736dc9f62a181e549e35fba3efe4

SHA1
31378aa782c6fc070f36aeebcf1ca95c809f58d0

SHA256
5a44964ca3d3850a52ab0fa0b50b711dedccb25fe1dacb7e85192885a5c7b2f4

SHA512
15aac1259f49c977864ac334bc2e039434c66f7945fa15756161106c354c4308667cb6bcfd7e974801a3d0af6e58806c3fef041d3dd51ed870b2f2347da93c5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1184.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dcpq11e\imagestore.dat

Filesize
4KB

MD5
0f9ba05f0ff281fd428278aa8ef078ec

SHA1
a215d76943c33bd4c1c5be617b15f79933f14adf

SHA256
8406709cfb969a476ca3c52c839b2f73077b0ac7717d09b645bebe690428665a

SHA512
5871d039ad0eab1a53c67038431f0c6660ae127aa86d35d202d0a089671e63632561f107d46ef65369f977d3535a917e83baf775b16aaa4a352bbd1eaaaf537c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4HAJQ22Y\com.miniplay.gunspin.Napkforpc.com[1].xapk

Filesize
60.1MB

MD5
c46adf3d6353da54c06f9b99bc1b5618

SHA1
8773595a3477bc36505c682e56395bb635d6d2af

SHA256
f15ca7cba159999ae146b684d97e7f9a0cc362e60821968e2e8358f0c9acf091

SHA512
3f7d27fb95cb9ccb208f7a463819fd7a354e55be03492731d8e56214ab0e32d7fd68f63e52b3829e631cabd19b451ab12ee68e0e8def241f23c90fbdc71fa0af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4HAJQ22Y\rx_lidar[1].js

Filesize
158KB

MD5
00186a8aef5e04845dc46b2784452d83

SHA1
538024aedd40bf7b9698530bb5ec59ef1e6991ed

SHA256
fc5e5e5fcb0512d00c16a63f06157a3d039a2810e184226ffede0b5f2f223293

SHA512
19f1e096dd8fb545862cdd00070f60cffb1a6b56a80ed2e1c794b800a1d5e137e1725e281ebfd9f83e9b5d7b1ce206b092860098671934c8ffe3c848037bb427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\C7b5IevRzs7vTKGp4g_K_Nmwr5Xy0qRS_sOpBfXgSTE[1].js

Filesize
37KB

MD5
dd0b29bb542268fa160be78214a8d6cf

SHA1
2590250c408099cad4483c95e661b77d17fe76f8

SHA256
0bb6f921ebd1ceceef4ca1a9e20fcafcd9b0af95f2d2a452fec3a905f5e04931

SHA512
41f0efc646933aa953bc5ab30402dfa24ab4073e78748550b30af09a703c1fbb77dd5b3ef29d7e905776a17b7792402dd82a16c6a7feca529b6fc7a2d9ac57dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\com.miniplay.gunspin.Napkforpc.com.xapk.zu0va60.partial

Filesize
60.1MB

MD5
c46adf3d6353da54c06f9b99bc1b5618

SHA1
8773595a3477bc36505c682e56395bb635d6d2af

SHA256
f15ca7cba159999ae146b684d97e7f9a0cc362e60821968e2e8358f0c9acf091

SHA512
3f7d27fb95cb9ccb208f7a463819fd7a354e55be03492731d8e56214ab0e32d7fd68f63e52b3829e631cabd19b451ab12ee68e0e8def241f23c90fbdc71fa0af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\css[1].css

Filesize
712B

MD5
bd40dc5f43c35ad38c7cbc463b57a5cb

SHA1
3b4a5f63f57f17a3c98e314f942a0b8802dc22dd

SHA256
ee4f4220f3e369cdc3d678ebfc41ed6b77762c6678fed4a2190e804969dfb628

SHA512
956baa0f04aba5c93daa30edf237cb94752c3854a6a0b142e5099f13f27d91d9cda224d4e45adf775160e116c20919f53af9ecea7d2b985722cce3d3bf9ae8de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\f[3].txt

Filesize
28KB

MD5
d8c8d00ce37f3b5a69905b15244d5d4a

SHA1
45a643ea54bf6591b1bf14b5f3723b098f15e803

SHA256
3694bc5a1eac1e9d958aeb602388bd2d9372876d4b033318646c95d439e6df25

SHA512
48a20aa7ad8d2c9f7bb481ce9152ffd80beba1351082dccd56f0ff7aae1982861fe3ea156e9620c2376802f247fff98e86286f04a0de60268bdd821a62852140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\logo[1].png

Filesize
4KB

MD5
4397016dab26d0af3515c379a1486d3d

SHA1
8ad10cf560ff811dd00007c27aba1ddc1b57b4c7

SHA256
1937333a1a1c637446c1b2e9a30781665f0628a6a6458bb2eae7c812f01d4424

SHA512
5b2df68251206e8f419a7b404b9a0886f3e3bc5986580f104eb5231b00bf6082bbda3beaa06fcd5ad3c5e7ae2208d141b4ecabdfea682a26b63003739ad2893a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LZ0AI98S\2d4d1720ca9317f0a648fa48ce84d2a3[1].js

Filesize
48KB

MD5
2d4d1720ca9317f0a648fa48ce84d2a3

SHA1
aea8597ff6ce3a7b9c1ed2b9b799d1f12a34a75c

SHA256
57ddb0bbe9e1b8fc77264a81fd5608871fa9b3077e32a124103993118dc13cfb

SHA512
4b830b418c306c3f01d4ac04617c8c6b39d02a3ce8c5bfc25b6963073ddd0e7b1775f996f4b8b155b4f16d22ec91aa4b0e01d5f67d0a6b45478d718653c292b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S64KWKX9\f[1].txt

Filesize
164KB

MD5
01772fbf572215da9e5bb6853fdb04aa

SHA1
91e58ef7f59cc114c72d539adfadab26b343727a

SHA256
f050fccb541f6174db2f8c753cdc935bb76aa3dfbb423256f8fd5115c886241e

SHA512
b90e3a3076899b892f819a132498f701fa64853db700e27400097e926e1a8e44ac426efdda203bceb39d59ba80a9990b61ddb64c4393fa97e460df0978240f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S64KWKX9\f[2].txt

Filesize
28KB

MD5
1fbe8f40f28c5d76142d7cbde318ec20

SHA1
3b2c1a588f1707cb89f4a36c4526c72f3aaab50a

SHA256
11f1414c6342d8a5a5124286921298b09b1e776f0aae7bbc4c83b96685166019

SHA512
60cfb06aaa72edb87288960425ff8755097c05e468ebc2e385cccaafad49476daec3409cb8ba4e160fee788b8f2aba2cb0e1684458b41f374a18865d615cfb6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S64KWKX9\f[3].txt

Filesize
2KB

MD5
43df87d5c0a3c601607609202103773a

SHA1
8273930ea19d679255e8f82a8c136f7d70b4aef2

SHA256
88a577b7767cbe34315ff67366be5530949df573931dd9c762c2c2e0434c5b8a

SHA512
2162ab9334deebd5579ae218e2a454dd7a3eef165ecdacc7c671e5aae51876f449de4ac290563ecc046657167671d4a9973c50d51f7faefc93499b8515992137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S64KWKX9\f[4].txt

Filesize
2KB

MD5
01b5d2b1c33bb607d605bc345663153a

SHA1
681e30c5eb4133c11e621d351218121aec16f354

SHA256
9de103952ef65bbed1caa4c723a8c4a88760791eb92dd092e410f643a1e256f4

SHA512
4bf150c698930ac0e606ee4ee4be37abaab9fd5bde1fdef2dbb95a9289d36a80555208038a86013d1d33665968498e3d4ff8e8668dd5d08bbdfe5f85d7546f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S64KWKX9\s[1].htm

Filesize
143B

MD5
e4e31b474d3e0b577b3c8856e91f8659

SHA1
a81311f7fcfa9b6b23a24d4e5c976d5f75b1b9b7

SHA256
18088c10e79c926292732af98a0ce470e90f3fbcba4bb4896ab3310c2d94e421

SHA512
a07961eb39c4cd4e39ee19e2c675e64e5ba5367daa18e2f76a23772abd62f46b002e6be8fb0f35a70616941178facc8df579c4a68e5811b74313c12806aafae3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
144KB

MD5
f484a652c4c4950ffb7a4043aa386e34

SHA1
59e897b0c1d77e8018e38c28c3691d86a435d9a4

SHA256
de277fcff9b8788ababfa1b27c17ffc3520174649483676ce1c991d6d94250bc

SHA512
a3c094355c851dc8f396ded7d185fab05563470a4321dd55e3269278f7cd6ea27aeee239a7c3fe64c471a8f91bb249103b9e613fe4381c7240ab259476bbba0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF78F4B5191DCFCE5A.TMP

Filesize
16KB

MD5
9ffcf967410609eab508f254e7ca6aa2

SHA1
061671a355104728137c16cdec077b7312545f36

SHA256
a3ec8754d1131e7e3f9e35a5ea52257b5cae7686f3f4355da048ac16f4a30e98

SHA512
11d215e25afe2eb70c54c54c6b4e3125382c842324889ffc15e1b9f0e333c04473e9a8eed6fbda0c09478693811ef46efe97a16d08209ef00496b98afd6b6973

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
6KB

MD5
cde270b8b8404e519e367dc21615bf32

SHA1
7de47ee81ef06b4dedab99b4dae3afb420a04e89

SHA256
68e79ea6db7365c20bd03d178d21ede48486f6121dab27c47db50fbe0fd040ba

SHA512
80c5dd6f9fe49e7e80c0f71a236bbf711ff71829d3ba5e5dc67237aaeae058968501adc8759e8fa6d518d33c24ca86a0c1b7a5c6fcc65e3490e52dfc8e117b13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
6KB

MD5
4bff5cd08f3ec358a1a87818d4331660

SHA1
ecabcb9430b2b2ae363752348b4e79b1f77a73e8

SHA256
6884e52e39042e03c9b24edf8f036a0eee68dd70c7256a95c93ed7549eb8edb0

SHA512
774950a3e6fed1038c961dbc3b467be405211d64ca7121999bb78781ef071b741bdf9e21139452216d339e358f64c750fc97ad1ffc119cf070b72f579df4bc40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs.js

Filesize
6KB

MD5
207077fed406e49d74fa19116d2712aa

SHA1
3ce60cb9b4fbd6b00a9ae26c599b9fdbe2b6c5ee

SHA256
b02701ad3c4478f891a550eac65f0a8c183999aa22a1dd171bd698b990124c58

SHA512
0c6398230b3eb103a0ce280f127515d998a6c9ea8908b8b248b132782f8166141ba8e1faabc7ace4b80e9c925bc5d7885f0fba8c16cb2e7798055727dc66190e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
9c47ab81a91bced2748483355ac74aa8

SHA1
1715e1382ffea1574efea13c5ee745c235cd99d9

SHA256
1dc001df09c44495dcc864a5bff1b18d1d348eed250f31521973712877fe6d66

SHA512
6956a8ce22b4c3fdb661c32331ea0b37791088253c009949b362a5f559356e140fcbbe529ef92a0b8e109a12875269cdd3f4c2fc4205940dd3279056fa436bd0

Download Submit
C:\Users\Admin\Downloads\com.miniplay.gunspin.Napkforpc.com (1) (1).xapk

Filesize
60.1MB

MD5
c46adf3d6353da54c06f9b99bc1b5618

SHA1
8773595a3477bc36505c682e56395bb635d6d2af

SHA256
f15ca7cba159999ae146b684d97e7f9a0cc362e60821968e2e8358f0c9acf091

SHA512
3f7d27fb95cb9ccb208f7a463819fd7a354e55be03492731d8e56214ab0e32d7fd68f63e52b3829e631cabd19b451ab12ee68e0e8def241f23c90fbdc71fa0af

Download Submit
C:\Users\Admin\Downloads\com.miniplay.gunspin.Napkforpc.com (1).xapk

Filesize
60.1MB

MD5
c46adf3d6353da54c06f9b99bc1b5618

SHA1
8773595a3477bc36505c682e56395bb635d6d2af

SHA256
f15ca7cba159999ae146b684d97e7f9a0cc362e60821968e2e8358f0c9acf091

SHA512
3f7d27fb95cb9ccb208f7a463819fd7a354e55be03492731d8e56214ab0e32d7fd68f63e52b3829e631cabd19b451ab12ee68e0e8def241f23c90fbdc71fa0af

Download Submit
C:\Users\Admin\Downloads\com.miniplay.gunspin.Napkforpc.com.xapk

Filesize
60.1MB

MD5
c46adf3d6353da54c06f9b99bc1b5618

SHA1
8773595a3477bc36505c682e56395bb635d6d2af

SHA256
f15ca7cba159999ae146b684d97e7f9a0cc362e60821968e2e8358f0c9acf091

SHA512
3f7d27fb95cb9ccb208f7a463819fd7a354e55be03492731d8e56214ab0e32d7fd68f63e52b3829e631cabd19b451ab12ee68e0e8def241f23c90fbdc71fa0af

Download Submit