7dc909cd2f5c8bc69358416320010d634a0e123cf5ef5152cb6fac139b397e7e

Analysis

max time kernel
104s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a8568882b188cb6262216906b127025_JaffaCakes118.exe
Size

590KB
MD5

7a8568882b188cb6262216906b127025
SHA1

bcf84768b4b9538554026da8a575a87304d4050b
SHA256

7dc909cd2f5c8bc69358416320010d634a0e123cf5ef5152cb6fac139b397e7e
SHA512

0647aa110c04718858ab06be0ef2ce03c3e8090c4b2cb8cdf55e0cf0ffe59fa9597d86de9887055a64394a38f8a8400aa30e87f379fc5e815d6551c24c7059f6
SSDEEP

12288:H24Cqbnp7/OP/6D54YQRTGkcx4v9csrXndd0:W4C8p+9f6nW1Hrw

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2420	netprotocol.exe

Loads dropped DLL 2 IoCs

pid	Process
1700	7a8568882b188cb6262216906b127025_JaffaCakes118.exe
1700	7a8568882b188cb6262216906b127025_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2352-92-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2352-89-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2352-87-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 2352	2420	netprotocol.exe	32
PID 2420 set thread context of 2352	2420	netprotocol.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	7a8568882b188cb6262216906b127025_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	7a8568882b188cb6262216906b127025_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	7a8568882b188cb6262216906b127025_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	7a8568882b188cb6262216906b127025_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe
2420	netprotocol.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	netprotocol.exe
Token: SeShutdownPrivilege	2352	RegAsm.exe
Token: SeDebugPrivilege	2352	RegAsm.exe
Token: SeTcbPrivilege	2352	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2420	1700	7a8568882b188cb6262216906b127025_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2420	1700	7a8568882b188cb6262216906b127025_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2420	1700	7a8568882b188cb6262216906b127025_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2420	1700	7a8568882b188cb6262216906b127025_JaffaCakes118.exe	28
PID 2420 wrote to memory of 1572	2420	netprotocol.exe	29
PID 2420 wrote to memory of 1572	2420	netprotocol.exe	29
PID 2420 wrote to memory of 1572	2420	netprotocol.exe	29
PID 2420 wrote to memory of 1572	2420	netprotocol.exe	29
PID 1572 wrote to memory of 1556	1572	cmd.exe	31
PID 1572 wrote to memory of 1556	1572	cmd.exe	31
PID 1572 wrote to memory of 1556	1572	cmd.exe	31
PID 1572 wrote to memory of 1556	1572	cmd.exe	31
PID 2420 wrote to memory of 2352	2420	netprotocol.exe	32
PID 2420 wrote to memory of 2352	2420	netprotocol.exe	32
PID 2420 wrote to memory of 2352	2420	netprotocol.exe	32
PID 2420 wrote to memory of 2352	2420	netprotocol.exe	32
PID 2420 wrote to memory of 2352	2420	netprotocol.exe	32
PID 2420 wrote to memory of 2352	2420	netprotocol.exe	32
PID 2420 wrote to memory of 2352	2420	netprotocol.exe	32
PID 2420 wrote to memory of 2352	2420	netprotocol.exe	32
PID 2420 wrote to memory of 2352	2420	netprotocol.exe	32
PID 2420 wrote to memory of 2352	2420	netprotocol.exe	32
PID 2420 wrote to memory of 2352	2420	netprotocol.exe	32

C:\Users\Admin\AppData\Local\Temp\7a8568882b188cb6262216906b127025_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7a8568882b188cb6262216906b127025_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
      4⤵
      PID:1556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_408BF57CFB22C8CE7202361683829F8C

Filesize
1KB

MD5
7759da265edb7cdb07f66657f7674bdf

SHA1
4dd6a84de3db8baf3a2fe7088881a7d0cd023bc1

SHA256
c50973d85493617126145635846a28f155a3a3571378ed6b5924eb8701b584b1

SHA512
bca66c19ba3c2f279dd985f816bc3ca20e33b59f153abc0924b131eaf6b9fed690fb3a86a7f34894ebaf2af0f0c2711755ea5941ab500e40fa055efc8e67f494

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F

Filesize
834B

MD5
cbed24fd2b55aea95367efca5ee889de

SHA1
946f48b5c344fd57113845cd483fed5fb9fa3e54

SHA256
1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

SHA512
c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_408BF57CFB22C8CE7202361683829F8C

Filesize
404B

MD5
00db4d51d681f80bb26903aecd855c47

SHA1
c8674c1b6e8fb7ae26c6edabceb93e2fb8d2bdd4

SHA256
ccd2adbfc72212f5957d6c5349600c06e1c06f05d26c2ff172950e5a1a48bf13

SHA512
8f87d09b94f602baad5778a648a8f2377c8848f86c65c482fc759ca85edca7c395ba02bce91c9c8428612f4fa2c9a2376de782e9658f0aed5694abb963d8fb18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
404B

MD5
d827e0728da1339cbca64e6a50ecfbaa

SHA1
32b83897b6138294a6afb8df584e83f520decd05

SHA256
c7ee3555a925cfc1293ceb4299b009755dad943c4850431ced85811cc4feb77d

SHA512
ad2a8b5888b2c2a9517847409098ce788ec6d449f36802581cc3ced2b7f3b6743810deef36a6d5630bedc49f6a7af5601cc1a5093ca9f2460dad9606bdb95298

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F

Filesize
188B

MD5
eff6869cec84630232c544d8cf4142ba

SHA1
036426dc50043ed710014b4d1077d5b2cafcdc56

SHA256
54f44e7d1ceca799f1e376c919543ae6a86bfd6a5c335b7fffa61370bc790574

SHA512
ed89de61258142f4be26a6cb9591b09f5cf066cf09d81912025c06a86e9d0cd73576ca71d68c8e0f67c76d4310f698a71845509e336e0d5ca55a362129c35184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93cd7e9e2a4a25ad36070062593bcc52

SHA1
54496b7ff292862b5acd5f67bfd6cd5cda0c78fa

SHA256
f3b0460188d44cd4389977efbe6b6f1a20a72ff548c4c87adf1544426bbacedb

SHA512
d20ffe7496da042da29a817de4e8cd3acd9793a7ee4f6c4b3c2049a39298e0efbe960fe9952b13cab41fab382caf0719ad3d6101b645a3b5efbedcea9f1f527f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF6E.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF90.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe

Filesize
590KB

MD5
7a8568882b188cb6262216906b127025

SHA1
bcf84768b4b9538554026da8a575a87304d4050b

SHA256
7dc909cd2f5c8bc69358416320010d634a0e123cf5ef5152cb6fac139b397e7e

SHA512
0647aa110c04718858ab06be0ef2ce03c3e8090c4b2cb8cdf55e0cf0ffe59fa9597d86de9887055a64394a38f8a8400aa30e87f379fc5e815d6551c24c7059f6

Download Submit
memory/1700-69-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-0-0x00000000744F1000-0x00000000744F2000-memory.dmp

Filesize
4KB

Download
memory/1700-1-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/2352-86-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2352-92-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2352-91-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2352-89-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2352-87-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2420-70-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/2420-62596-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download