gurcu | 4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c

Analysis

max time kernel
71s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2023 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c.exe
Size

1.0MB
MD5

5d876a3f2e63985cd1a1acef1ced738d
SHA1

2e5fd5786b16f52ae937a75b048049223f4365b6
SHA256

4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c
SHA512

ebb48ead5b845e893ee56a54669dd5aa874ce991f9d52b515171bdd3c2921818cd50a55ae3f9943488b404e74cd155d47bef75f33575dc962cb0e32a4069d601
SSDEEP

24576:pyucQgSU+My3dRTJluGA9V80+fY2ZvDxdvXMQhRti/:cucRSU+ztlTA9VAvD3fni

Score

10^/10

gurcu redline fash lina collection discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lina

83.97.73.122:19062

Attributes

auth_value
13523aee5d194d7716b22eeab7de10ad

Extracted

Family

redline

Botnet

fash

83.97.73.122:19062

Attributes

auth_value
dd7165bcd22b0ed3df426d944e12f136

Extracted

Family

gurcu

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	s6445215.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	k2.exe

Executes dropped EXE 11 IoCs

pid	Process
4848	z4743630.exe
2500	z5228861.exe
1548	o6695388.exe
2004	p1739181.exe
3388	r5875123.exe
2324	s6445215.exe
2180	s6445215.exe
4964	legends.exe
392	legends.exe
1988	k2.exe
3572	k2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4743630.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4743630.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5228861.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5228861.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 1404	1548	o6695388.exe	88
PID 3388 set thread context of 4660	3388	r5875123.exe	94
PID 2324 set thread context of 2180	2324	s6445215.exe	96
PID 4964 set thread context of 392	4964	legends.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3912	schtasks.exe
4508	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2260	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1404	AppLaunch.exe
1404	AppLaunch.exe
2004	p1739181.exe
2004	p1739181.exe
4660	AppLaunch.exe
4660	AppLaunch.exe
3572	k2.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	AppLaunch.exe
Token: SeDebugPrivilege	2004	p1739181.exe
Token: SeDebugPrivilege	2324	s6445215.exe
Token: SeDebugPrivilege	4964	legends.exe
Token: SeDebugPrivilege	4660	AppLaunch.exe
Token: SeDebugPrivilege	1988	k2.exe
Token: SeDebugPrivilege	3572	k2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2180	s6445215.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4848	4656	4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c.exe	84
PID 4656 wrote to memory of 4848	4656	4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c.exe	84
PID 4656 wrote to memory of 4848	4656	4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c.exe	84
PID 4848 wrote to memory of 2500	4848	z4743630.exe	85
PID 4848 wrote to memory of 2500	4848	z4743630.exe	85
PID 4848 wrote to memory of 2500	4848	z4743630.exe	85
PID 2500 wrote to memory of 1548	2500	z5228861.exe	86
PID 2500 wrote to memory of 1548	2500	z5228861.exe	86
PID 2500 wrote to memory of 1548	2500	z5228861.exe	86
PID 1548 wrote to memory of 1404	1548	o6695388.exe	88
PID 1548 wrote to memory of 1404	1548	o6695388.exe	88
PID 1548 wrote to memory of 1404	1548	o6695388.exe	88
PID 1548 wrote to memory of 1404	1548	o6695388.exe	88
PID 1548 wrote to memory of 1404	1548	o6695388.exe	88
PID 2500 wrote to memory of 2004	2500	z5228861.exe	89
PID 2500 wrote to memory of 2004	2500	z5228861.exe	89
PID 2500 wrote to memory of 2004	2500	z5228861.exe	89
PID 4848 wrote to memory of 3388	4848	z4743630.exe	92
PID 4848 wrote to memory of 3388	4848	z4743630.exe	92
PID 4848 wrote to memory of 3388	4848	z4743630.exe	92
PID 3388 wrote to memory of 4660	3388	r5875123.exe	94
PID 3388 wrote to memory of 4660	3388	r5875123.exe	94
PID 3388 wrote to memory of 4660	3388	r5875123.exe	94
PID 3388 wrote to memory of 4660	3388	r5875123.exe	94
PID 3388 wrote to memory of 4660	3388	r5875123.exe	94
PID 4656 wrote to memory of 2324	4656	4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c.exe	95
PID 4656 wrote to memory of 2324	4656	4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c.exe	95
PID 4656 wrote to memory of 2324	4656	4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c.exe	95
PID 2324 wrote to memory of 2180	2324	s6445215.exe	96
PID 2324 wrote to memory of 2180	2324	s6445215.exe	96
PID 2324 wrote to memory of 2180	2324	s6445215.exe	96
PID 2324 wrote to memory of 2180	2324	s6445215.exe	96
PID 2324 wrote to memory of 2180	2324	s6445215.exe	96
PID 2324 wrote to memory of 2180	2324	s6445215.exe	96
PID 2324 wrote to memory of 2180	2324	s6445215.exe	96
PID 2324 wrote to memory of 2180	2324	s6445215.exe	96
PID 2324 wrote to memory of 2180	2324	s6445215.exe	96
PID 2324 wrote to memory of 2180	2324	s6445215.exe	96
PID 2180 wrote to memory of 4964	2180	s6445215.exe	97
PID 2180 wrote to memory of 4964	2180	s6445215.exe	97
PID 2180 wrote to memory of 4964	2180	s6445215.exe	97
PID 4964 wrote to memory of 392	4964	legends.exe	98
PID 4964 wrote to memory of 392	4964	legends.exe	98
PID 4964 wrote to memory of 392	4964	legends.exe	98
PID 4964 wrote to memory of 392	4964	legends.exe	98
PID 4964 wrote to memory of 392	4964	legends.exe	98
PID 4964 wrote to memory of 392	4964	legends.exe	98
PID 4964 wrote to memory of 392	4964	legends.exe	98
PID 4964 wrote to memory of 392	4964	legends.exe	98
PID 4964 wrote to memory of 392	4964	legends.exe	98
PID 4964 wrote to memory of 392	4964	legends.exe	98
PID 392 wrote to memory of 3912	392	legends.exe	99
PID 392 wrote to memory of 3912	392	legends.exe	99
PID 392 wrote to memory of 3912	392	legends.exe	99
PID 392 wrote to memory of 848	392	legends.exe	101
PID 392 wrote to memory of 848	392	legends.exe	101
PID 392 wrote to memory of 848	392	legends.exe	101
PID 848 wrote to memory of 448	848	cmd.exe	103
PID 848 wrote to memory of 448	848	cmd.exe	103
PID 848 wrote to memory of 448	848	cmd.exe	103
PID 848 wrote to memory of 4804	848	cmd.exe	104
PID 848 wrote to memory of 4804	848	cmd.exe	104
PID 848 wrote to memory of 4804	848	cmd.exe	104
PID 848 wrote to memory of 1612	848	cmd.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

C:\Users\Admin\AppData\Local\Temp\4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c.exe
"C:\Users\Admin\AppData\Local\Temp\4e9fff3d87862633176207d7501348a46e6e539180d63206fcb9a7e9533bfc0c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4743630.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4743630.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5228861.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5228861.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6695388.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6695388.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1739181.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1739181.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5875123.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5875123.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6445215.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6445215.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6445215.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6445215.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:392
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3912
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:1828
      - C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        7⤵
        
        PID:2440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1796
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:2260
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
        
        "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        8⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k2.exe.log

Filesize
1KB

MD5
fc1be6f3f52d5c841af91f8fc3f790cb

SHA1
ac79b4229e0a0ce378ae22fc6104748c5f234511

SHA256
6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

SHA512
2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
7424dd4b4a41bdfbac266dd2616587e8

SHA1
90995dd668e35a6127e21174f3f6b5782a827451

SHA256
1f9b7395cdf0639812d2b5d762fc02eb930bf687b4dc6378839338ae4f90d38a

SHA512
518041c4f94bf96ad0670bf97d37c5025e38036b2fed219d5ff91d31b81373e1943d06b1f7f99a1e5f7f9f4b16923716bbaaf1c8e2d457812297e8f2b85a637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
7424dd4b4a41bdfbac266dd2616587e8

SHA1
90995dd668e35a6127e21174f3f6b5782a827451

SHA256
1f9b7395cdf0639812d2b5d762fc02eb930bf687b4dc6378839338ae4f90d38a

SHA512
518041c4f94bf96ad0670bf97d37c5025e38036b2fed219d5ff91d31b81373e1943d06b1f7f99a1e5f7f9f4b16923716bbaaf1c8e2d457812297e8f2b85a637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
7424dd4b4a41bdfbac266dd2616587e8

SHA1
90995dd668e35a6127e21174f3f6b5782a827451

SHA256
1f9b7395cdf0639812d2b5d762fc02eb930bf687b4dc6378839338ae4f90d38a

SHA512
518041c4f94bf96ad0670bf97d37c5025e38036b2fed219d5ff91d31b81373e1943d06b1f7f99a1e5f7f9f4b16923716bbaaf1c8e2d457812297e8f2b85a637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
7424dd4b4a41bdfbac266dd2616587e8

SHA1
90995dd668e35a6127e21174f3f6b5782a827451

SHA256
1f9b7395cdf0639812d2b5d762fc02eb930bf687b4dc6378839338ae4f90d38a

SHA512
518041c4f94bf96ad0670bf97d37c5025e38036b2fed219d5ff91d31b81373e1943d06b1f7f99a1e5f7f9f4b16923716bbaaf1c8e2d457812297e8f2b85a637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6445215.exe

Filesize
962KB

MD5
7424dd4b4a41bdfbac266dd2616587e8

SHA1
90995dd668e35a6127e21174f3f6b5782a827451

SHA256
1f9b7395cdf0639812d2b5d762fc02eb930bf687b4dc6378839338ae4f90d38a

SHA512
518041c4f94bf96ad0670bf97d37c5025e38036b2fed219d5ff91d31b81373e1943d06b1f7f99a1e5f7f9f4b16923716bbaaf1c8e2d457812297e8f2b85a637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6445215.exe

Filesize
962KB

MD5
7424dd4b4a41bdfbac266dd2616587e8

SHA1
90995dd668e35a6127e21174f3f6b5782a827451

SHA256
1f9b7395cdf0639812d2b5d762fc02eb930bf687b4dc6378839338ae4f90d38a

SHA512
518041c4f94bf96ad0670bf97d37c5025e38036b2fed219d5ff91d31b81373e1943d06b1f7f99a1e5f7f9f4b16923716bbaaf1c8e2d457812297e8f2b85a637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6445215.exe

Filesize
962KB

MD5
7424dd4b4a41bdfbac266dd2616587e8

SHA1
90995dd668e35a6127e21174f3f6b5782a827451

SHA256
1f9b7395cdf0639812d2b5d762fc02eb930bf687b4dc6378839338ae4f90d38a

SHA512
518041c4f94bf96ad0670bf97d37c5025e38036b2fed219d5ff91d31b81373e1943d06b1f7f99a1e5f7f9f4b16923716bbaaf1c8e2d457812297e8f2b85a637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4743630.exe

Filesize
602KB

MD5
0d9de0387aecfac2d5ecc2bfadeb0c3e

SHA1
fdb2a3638431ac0e25bf52def35ed2780ffe3ba7

SHA256
d4350724e4ee3dd9f4dd852807a52931d8fb8807a0c7025c7d059f26bbc4624d

SHA512
3f74617c05b442379683e7a5c706c6b701fb03c16360ad751f9701e5290726b3a75f8cbbb68cf60d7d92657d005f158d7cb40e45101a4ecfc86f0fd63eb8ee38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4743630.exe

Filesize
602KB

MD5
0d9de0387aecfac2d5ecc2bfadeb0c3e

SHA1
fdb2a3638431ac0e25bf52def35ed2780ffe3ba7

SHA256
d4350724e4ee3dd9f4dd852807a52931d8fb8807a0c7025c7d059f26bbc4624d

SHA512
3f74617c05b442379683e7a5c706c6b701fb03c16360ad751f9701e5290726b3a75f8cbbb68cf60d7d92657d005f158d7cb40e45101a4ecfc86f0fd63eb8ee38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5875123.exe

Filesize
328KB

MD5
67fe3d5c304c736c6acbdc6a009035bb

SHA1
340917484184487a9243124d1d625cdb3dd4c9cb

SHA256
fcedbe1dcbe6227e6827fa5d53aa7763e9e79026da2061078cfa303c3214216c

SHA512
6d67eeac982d03c780e3d35f7022823257036223e542b324e2ee1692dc8cb9cda94964ab0f55a7f370f197021e76b1f6c90e26dbd404860256daddfce6062ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5875123.exe

Filesize
328KB

MD5
67fe3d5c304c736c6acbdc6a009035bb

SHA1
340917484184487a9243124d1d625cdb3dd4c9cb

SHA256
fcedbe1dcbe6227e6827fa5d53aa7763e9e79026da2061078cfa303c3214216c

SHA512
6d67eeac982d03c780e3d35f7022823257036223e542b324e2ee1692dc8cb9cda94964ab0f55a7f370f197021e76b1f6c90e26dbd404860256daddfce6062ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5228861.exe

Filesize
280KB

MD5
272a39e6024aba40f6720fbcc3bcd477

SHA1
8782d46761925a6c3f7bc0a8fc809099b3e723bc

SHA256
07c30ab9bc32f536efc51efe2018d5bf89e180aa2d678093856146eda7d1d0d7

SHA512
a05a8d7049c7fa583d332ebae42f817d8bf6100e1a048a8a8a4d4fd68d0a648c953b06d1068360b85e6bcfc5f611df3f22bf4c6c427470ba654f7e25b6b2446d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5228861.exe

Filesize
280KB

MD5
272a39e6024aba40f6720fbcc3bcd477

SHA1
8782d46761925a6c3f7bc0a8fc809099b3e723bc

SHA256
07c30ab9bc32f536efc51efe2018d5bf89e180aa2d678093856146eda7d1d0d7

SHA512
a05a8d7049c7fa583d332ebae42f817d8bf6100e1a048a8a8a4d4fd68d0a648c953b06d1068360b85e6bcfc5f611df3f22bf4c6c427470ba654f7e25b6b2446d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6695388.exe

Filesize
194KB

MD5
fee99533e545cde6421ab07d2e9b3c36

SHA1
f0bb3df761d954ccadedf0fafbced1aadff50ddd

SHA256
c9f4f19e45e877309b54772fc28f5e22a23f9004c26cfb4c610e46adf6d1f329

SHA512
7a1acd63a81008852a04cd3a5cf25efcf4f3a935c4ad2d0a2db2e586f8365acaed91158114d15cf3199bde590de26e512fe8f11e544443c3a970e14b9629a513

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6695388.exe

Filesize
194KB

MD5
fee99533e545cde6421ab07d2e9b3c36

SHA1
f0bb3df761d954ccadedf0fafbced1aadff50ddd

SHA256
c9f4f19e45e877309b54772fc28f5e22a23f9004c26cfb4c610e46adf6d1f329

SHA512
7a1acd63a81008852a04cd3a5cf25efcf4f3a935c4ad2d0a2db2e586f8365acaed91158114d15cf3199bde590de26e512fe8f11e544443c3a970e14b9629a513

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1739181.exe

Filesize
145KB

MD5
ef11616ee81edfb4c901000dd3cc7682

SHA1
c7a421ee5a961080d3fe753a88a1342455a51cf5

SHA256
41a8038acbb46ad52f5b047fc96645f220f06ac61ee4ac3c2102c9cdccc73cf4

SHA512
a5da7391dfc6ca4e54ecac8d081cd891ef735c48f29e03797fdc79631abf2f91226c76e7e29ee4bcb56f832d5316aa7dd9868a7ebeffe7eac528c8dddb1302d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1739181.exe

Filesize
145KB

MD5
ef11616ee81edfb4c901000dd3cc7682

SHA1
c7a421ee5a961080d3fe753a88a1342455a51cf5

SHA256
41a8038acbb46ad52f5b047fc96645f220f06ac61ee4ac3c2102c9cdccc73cf4

SHA512
a5da7391dfc6ca4e54ecac8d081cd891ef735c48f29e03797fdc79631abf2f91226c76e7e29ee4bcb56f832d5316aa7dd9868a7ebeffe7eac528c8dddb1302d8

Download Submit
memory/392-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/392-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/392-244-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/392-235-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/392-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/392-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1404-155-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1988-247-0x000001BAADB60000-0x000001BAADBFA000-memory.dmp

Filesize
616KB

Download
memory/2004-166-0x0000000005100000-0x0000000005112000-memory.dmp

Filesize
72KB

Download
memory/2004-176-0x0000000006CA0000-0x0000000006D16000-memory.dmp

Filesize
472KB

Download
memory/2004-177-0x0000000006D20000-0x0000000006D70000-memory.dmp

Filesize
320KB

Download
memory/2004-163-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/2004-172-0x0000000006430000-0x00000000065F2000-memory.dmp

Filesize
1.8MB

Download
memory/2004-164-0x00000000056E0000-0x0000000005CF8000-memory.dmp

Filesize
6.1MB

Download
memory/2004-171-0x0000000006670000-0x0000000006C14000-memory.dmp

Filesize
5.6MB

Download
memory/2004-170-0x0000000006020000-0x00000000060B2000-memory.dmp

Filesize
584KB

Download
memory/2004-173-0x0000000007150000-0x000000000767C000-memory.dmp

Filesize
5.2MB

Download
memory/2004-165-0x00000000051D0000-0x00000000052DA000-memory.dmp

Filesize
1.0MB

Download
memory/2004-169-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/2004-168-0x0000000005160000-0x000000000519C000-memory.dmp

Filesize
240KB

Download
memory/2004-175-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2004-167-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2180-195-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2180-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2180-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2180-199-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2180-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2324-194-0x0000000007C40000-0x0000000007C50000-memory.dmp

Filesize
64KB

Download
memory/2324-192-0x0000000000CE0000-0x0000000000DD8000-memory.dmp

Filesize
992KB

Download
memory/3572-256-0x0000028E75150000-0x0000028E75160000-memory.dmp

Filesize
64KB

Download
memory/4660-193-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4660-183-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4964-216-0x0000000007B30000-0x0000000007B40000-memory.dmp

Filesize
64KB

Download