7d0b4123925f27b39f6fa807c5cbe5503a7076d44402f9a1ced682e4b9007c52

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

676468f314fed40a1151d580e98226c7_JaffaCakes118.exe
Size

566KB
MD5

676468f314fed40a1151d580e98226c7
SHA1

65d7707909da6e4d2f7aca130e273613efc2e121
SHA256

7d0b4123925f27b39f6fa807c5cbe5503a7076d44402f9a1ced682e4b9007c52
SHA512

33ca83d85f9e692707d9225af75115c71cc286eaebf3289af5b88ad2c6f79873785e42d8575628389b9f9a11dbeda4649755cd44a4b046bae66a6b5076b8c470
SSDEEP

6144:ZP5sIpfoSB6e/uwxkWaXYikTEuj81k1K4np8c2tcQjvyBW9UCZY1geSgX3RrEOuX:ZOIpfZmbXYiLqk4Sc2R6BRxcAEYj8n1X

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2520	netprotocol.exe
816	netprotocol.exe

Loads dropped DLL 2 IoCs

pid	Process
2172	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe
2172	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/816-99-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/816-96-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/816-94-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/816-104-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/816-117-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 816	2520	netprotocol.exe	32
PID 2520 set thread context of 816	2520	netprotocol.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe
2520	netprotocol.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
816	netprotocol.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	netprotocol.exe
Token: SeShutdownPrivilege	816	netprotocol.exe
Token: SeDebugPrivilege	816	netprotocol.exe
Token: SeTcbPrivilege	816	netprotocol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
816	netprotocol.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2520	2172	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe	28
PID 2172 wrote to memory of 2520	2172	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe	28
PID 2172 wrote to memory of 2520	2172	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe	28
PID 2172 wrote to memory of 2520	2172	676468f314fed40a1151d580e98226c7_JaffaCakes118.exe	28
PID 2520 wrote to memory of 1240	2520	netprotocol.exe	29
PID 2520 wrote to memory of 1240	2520	netprotocol.exe	29
PID 2520 wrote to memory of 1240	2520	netprotocol.exe	29
PID 2520 wrote to memory of 1240	2520	netprotocol.exe	29
PID 1240 wrote to memory of 1312	1240	cmd.exe	31
PID 1240 wrote to memory of 1312	1240	cmd.exe	31
PID 1240 wrote to memory of 1312	1240	cmd.exe	31
PID 1240 wrote to memory of 1312	1240	cmd.exe	31
PID 2520 wrote to memory of 816	2520	netprotocol.exe	32
PID 2520 wrote to memory of 816	2520	netprotocol.exe	32
PID 2520 wrote to memory of 816	2520	netprotocol.exe	32
PID 2520 wrote to memory of 816	2520	netprotocol.exe	32
PID 2520 wrote to memory of 816	2520	netprotocol.exe	32
PID 2520 wrote to memory of 816	2520	netprotocol.exe	32
PID 2520 wrote to memory of 816	2520	netprotocol.exe	32
PID 2520 wrote to memory of 816	2520	netprotocol.exe	32

C:\Users\Admin\AppData\Local\Temp\676468f314fed40a1151d580e98226c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\676468f314fed40a1151d580e98226c7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
      4⤵
      PID:1312
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_408BF57CFB22C8CE7202361683829F8C

Filesize
1KB

MD5
b6a068593e0aefcec1ac11570a345e4d

SHA1
bf91ee7b84937e0af592599cb60c564d35a83b47

SHA256
15eadffeaa41d852b46f9cc2d1ae65ae17fcf190cb3211319cdb98016825e7d3

SHA512
a717b414d1aea61f84d47c48c6f62dce75f5cc2667c2332d3a86832336bbdb3edf3449649f21a8c670e695c6a69dc8546e39826b359b872aba1e6e28bc257cf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F

Filesize
834B

MD5
cbed24fd2b55aea95367efca5ee889de

SHA1
946f48b5c344fd57113845cd483fed5fb9fa3e54

SHA256
1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

SHA512
c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_408BF57CFB22C8CE7202361683829F8C

Filesize
404B

MD5
7e71ed79d2733c96a38c73140351643d

SHA1
0a07fe4facab25b5e40ee261de2cd23c8c8bdec3

SHA256
8f59427f0112cd26878d9d783feca6ee5ea30ef3274e847164dc8c75ce371615

SHA512
850b47bf1cc18b0595d1924437d4a8ac5b466085605e8ee86f196a0ac6496d1863d0084c231ed49d7a2c98a29277ec2d43c1807ccb1a93409b5333c08cf92ec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
404B

MD5
ad36a28372980420f915bfcd54884a28

SHA1
5a760366fca474e43d9e6e2343056192b5453a95

SHA256
cd6a99ac0aa5eff135031291c929730be42e11c0a3cb1d6ae6791a7d0ecf23d3

SHA512
100dda2f4183823786ed0cb42c54effdba20c889927cba03e9595c02d0954d2a15de65b482fe5abf7e8cd39e1c9f20cc363affdcd99cf826e96bbe1800c43ab7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F

Filesize
188B

MD5
d00272b9382a0a4226391d5a03139817

SHA1
db6a762e0d252ff2b841ac378e1de7b69f5a561d

SHA256
7eac5ed98d1e9aa2406879d61ddd77117f30f94329618b2bc9a92e4503570daa

SHA512
d9137d89256e981e516b2a0f060428b7b4e63fea03fd38afd5ed2bf225734379d7375d60a6034efd22106d68f4837e9ba59c16bf77e42683f8319c3712aae0a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f612d94f230480bb03f62271129339a2

SHA1
2513fc7f05e6dc24201b016d5e978d5ada287e3f

SHA256
8e25958634b731c354f8d03e233c2c0b90229fc0e0d742f9b2de6a126fe5a515

SHA512
25e89c65ccacd70c886702256c2e6850c7d7de434986898a170a8cc12c0c67241ebfe62e60c9691f99db5298d79553952e6e5c17996cc366ade850b9318e52d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1655.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe

Filesize
566KB

MD5
676468f314fed40a1151d580e98226c7

SHA1
65d7707909da6e4d2f7aca130e273613efc2e121

SHA256
7d0b4123925f27b39f6fa807c5cbe5503a7076d44402f9a1ced682e4b9007c52

SHA512
33ca83d85f9e692707d9225af75115c71cc286eaebf3289af5b88ad2c6f79873785e42d8575628389b9f9a11dbeda4649755cd44a4b046bae66a6b5076b8c470

Download Submit
memory/816-99-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/816-94-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/816-117-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/816-104-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/816-96-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/816-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/816-92-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2172-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-74-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-91-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-75-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-12328-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download