gurcu | c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271

Analysis

max time kernel
40s
max time network
146s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25/05/2023, 12:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271.exe
Size

1.0MB
MD5

1539dd13f7d062b31bd824dca347dfb5
SHA1

7c65a1b4e550aa7e198920ff0e4e508eae48aaed
SHA256

c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271
SHA512

690cffe1fbe37945a4323362fa7587c4165fbdc334ff1f1cc7d556e7d20a906722ca7f52f9a16adab3611c00cc1040ace1b831f61fe85a94bf7ad79de7a29f90
SSDEEP

24576:ty8kdbt85jrVvQ2uwJ0mfhMOmlgqOyUHbufvh4:Ihg8oXgg5yUqnh

Score

10^/10

gurcu redline fash lina discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lina

83.97.73.122:19062

Attributes

auth_value
13523aee5d194d7716b22eeab7de10ad

Extracted

Family

redline

Botnet

fash

83.97.73.122:19062

Attributes

auth_value
dd7165bcd22b0ed3df426d944e12f136

Extracted

Family

gurcu

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
3568	z1141361.exe
1012	z7156770.exe
4852	o6242223.exe
3912	p4905930.exe
1812	r4904624.exe
3744	s6693807.exe
1260	s6693807.exe
4800	s6693807.exe
5068	legends.exe
5040	legends.exe
1132	legends.exe
496	legends.exe
3668	k2.exe
2780	k2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1141361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1141361.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7156770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7156770.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4852 set thread context of 2776	4852	o6242223.exe	70
PID 1812 set thread context of 4448	1812	r4904624.exe	75
PID 3744 set thread context of 4800	3744	s6693807.exe	78
PID 5068 set thread context of 496	5068	legends.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3212	schtasks.exe
1540	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
956	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2776	AppLaunch.exe
2776	AppLaunch.exe
3912	p4905930.exe
3912	p4905930.exe
4448	AppLaunch.exe
4448	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	AppLaunch.exe
Token: SeDebugPrivilege	3912	p4905930.exe
Token: SeDebugPrivilege	3744	s6693807.exe
Token: SeDebugPrivilege	4448	AppLaunch.exe
Token: SeDebugPrivilege	5068	legends.exe
Token: SeDebugPrivilege	3668	k2.exe
Token: SeDebugPrivilege	2780	k2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4800	s6693807.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3568	1608	c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271.exe	66
PID 1608 wrote to memory of 3568	1608	c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271.exe	66
PID 1608 wrote to memory of 3568	1608	c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271.exe	66
PID 3568 wrote to memory of 1012	3568	z1141361.exe	67
PID 3568 wrote to memory of 1012	3568	z1141361.exe	67
PID 3568 wrote to memory of 1012	3568	z1141361.exe	67
PID 1012 wrote to memory of 4852	1012	z7156770.exe	68
PID 1012 wrote to memory of 4852	1012	z7156770.exe	68
PID 1012 wrote to memory of 4852	1012	z7156770.exe	68
PID 4852 wrote to memory of 2776	4852	o6242223.exe	70
PID 4852 wrote to memory of 2776	4852	o6242223.exe	70
PID 4852 wrote to memory of 2776	4852	o6242223.exe	70
PID 4852 wrote to memory of 2776	4852	o6242223.exe	70
PID 4852 wrote to memory of 2776	4852	o6242223.exe	70
PID 1012 wrote to memory of 3912	1012	z7156770.exe	71
PID 1012 wrote to memory of 3912	1012	z7156770.exe	71
PID 1012 wrote to memory of 3912	1012	z7156770.exe	71
PID 3568 wrote to memory of 1812	3568	z1141361.exe	73
PID 3568 wrote to memory of 1812	3568	z1141361.exe	73
PID 3568 wrote to memory of 1812	3568	z1141361.exe	73
PID 1812 wrote to memory of 4448	1812	r4904624.exe	75
PID 1812 wrote to memory of 4448	1812	r4904624.exe	75
PID 1812 wrote to memory of 4448	1812	r4904624.exe	75
PID 1812 wrote to memory of 4448	1812	r4904624.exe	75
PID 1812 wrote to memory of 4448	1812	r4904624.exe	75
PID 1608 wrote to memory of 3744	1608	c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271.exe	76
PID 1608 wrote to memory of 3744	1608	c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271.exe	76
PID 1608 wrote to memory of 3744	1608	c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271.exe	76
PID 3744 wrote to memory of 1260	3744	s6693807.exe	77
PID 3744 wrote to memory of 1260	3744	s6693807.exe	77
PID 3744 wrote to memory of 1260	3744	s6693807.exe	77
PID 3744 wrote to memory of 1260	3744	s6693807.exe	77
PID 3744 wrote to memory of 4800	3744	s6693807.exe	78
PID 3744 wrote to memory of 4800	3744	s6693807.exe	78
PID 3744 wrote to memory of 4800	3744	s6693807.exe	78
PID 3744 wrote to memory of 4800	3744	s6693807.exe	78
PID 3744 wrote to memory of 4800	3744	s6693807.exe	78
PID 3744 wrote to memory of 4800	3744	s6693807.exe	78
PID 3744 wrote to memory of 4800	3744	s6693807.exe	78
PID 3744 wrote to memory of 4800	3744	s6693807.exe	78
PID 3744 wrote to memory of 4800	3744	s6693807.exe	78
PID 3744 wrote to memory of 4800	3744	s6693807.exe	78
PID 4800 wrote to memory of 5068	4800	s6693807.exe	79
PID 4800 wrote to memory of 5068	4800	s6693807.exe	79
PID 4800 wrote to memory of 5068	4800	s6693807.exe	79
PID 5068 wrote to memory of 5040	5068	legends.exe	80
PID 5068 wrote to memory of 5040	5068	legends.exe	80
PID 5068 wrote to memory of 5040	5068	legends.exe	80
PID 5068 wrote to memory of 5040	5068	legends.exe	80
PID 5068 wrote to memory of 1132	5068	legends.exe	81
PID 5068 wrote to memory of 1132	5068	legends.exe	81
PID 5068 wrote to memory of 1132	5068	legends.exe	81
PID 5068 wrote to memory of 1132	5068	legends.exe	81
PID 5068 wrote to memory of 496	5068	legends.exe	82
PID 5068 wrote to memory of 496	5068	legends.exe	82
PID 5068 wrote to memory of 496	5068	legends.exe	82
PID 5068 wrote to memory of 496	5068	legends.exe	82
PID 5068 wrote to memory of 496	5068	legends.exe	82
PID 5068 wrote to memory of 496	5068	legends.exe	82
PID 5068 wrote to memory of 496	5068	legends.exe	82
PID 5068 wrote to memory of 496	5068	legends.exe	82
PID 5068 wrote to memory of 496	5068	legends.exe	82
PID 5068 wrote to memory of 496	5068	legends.exe	82
PID 496 wrote to memory of 1540	496	legends.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271.exe
"C:\Users\Admin\AppData\Local\Temp\c620bd31eb99e4436fe58a443d34c1d357e5402c0534de46b49628aecef8f271.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1141361.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1141361.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7156770.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7156770.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6242223.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6242223.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4905930.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4905930.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4904624.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4904624.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6693807.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6693807.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6693807.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6693807.exe
    3⤵
    - Executes dropped EXE
    PID:1260
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6693807.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6693807.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        
        PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        
        PID:1132
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:496
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1540
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:1008
      - C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        7⤵
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1652
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:956
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
        
        "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k2.exe.log

Filesize
1KB

MD5
d51a38b0538aafbb39cd4743767cf2a3

SHA1
ec819ad7959110e2244b2978e4a60e4c5e99961d

SHA256
8678df64deb4a7203a8ac3eaa5af8b767111e753385d286f9e1c121d45830e22

SHA512
51ffb0c793f034843cf749716680bb6dd81c840bbe22f6426c8d14ffd62a7b4fab974325aa978e62ba57575b836aff4e00a810688818749021f658b623fd41f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
60f89769a9709d1b07e150634ed95d3b

SHA1
eaff528dbf18cb5ddca334e40069c575979a7c81

SHA256
798f72e447103ba309770118e64ae3f3f65ebbd8f7a266f780717be91cf7875b

SHA512
38c489ff17839b26b39b2fd71fbc29105817639ed7a193d405e4f0b51775ca3eb88582659209fdeaaceabca76d71a536ee186ff5f6b1c0370b4b9364a45d7e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
60f89769a9709d1b07e150634ed95d3b

SHA1
eaff528dbf18cb5ddca334e40069c575979a7c81

SHA256
798f72e447103ba309770118e64ae3f3f65ebbd8f7a266f780717be91cf7875b

SHA512
38c489ff17839b26b39b2fd71fbc29105817639ed7a193d405e4f0b51775ca3eb88582659209fdeaaceabca76d71a536ee186ff5f6b1c0370b4b9364a45d7e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
60f89769a9709d1b07e150634ed95d3b

SHA1
eaff528dbf18cb5ddca334e40069c575979a7c81

SHA256
798f72e447103ba309770118e64ae3f3f65ebbd8f7a266f780717be91cf7875b

SHA512
38c489ff17839b26b39b2fd71fbc29105817639ed7a193d405e4f0b51775ca3eb88582659209fdeaaceabca76d71a536ee186ff5f6b1c0370b4b9364a45d7e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
60f89769a9709d1b07e150634ed95d3b

SHA1
eaff528dbf18cb5ddca334e40069c575979a7c81

SHA256
798f72e447103ba309770118e64ae3f3f65ebbd8f7a266f780717be91cf7875b

SHA512
38c489ff17839b26b39b2fd71fbc29105817639ed7a193d405e4f0b51775ca3eb88582659209fdeaaceabca76d71a536ee186ff5f6b1c0370b4b9364a45d7e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
60f89769a9709d1b07e150634ed95d3b

SHA1
eaff528dbf18cb5ddca334e40069c575979a7c81

SHA256
798f72e447103ba309770118e64ae3f3f65ebbd8f7a266f780717be91cf7875b

SHA512
38c489ff17839b26b39b2fd71fbc29105817639ed7a193d405e4f0b51775ca3eb88582659209fdeaaceabca76d71a536ee186ff5f6b1c0370b4b9364a45d7e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
60f89769a9709d1b07e150634ed95d3b

SHA1
eaff528dbf18cb5ddca334e40069c575979a7c81

SHA256
798f72e447103ba309770118e64ae3f3f65ebbd8f7a266f780717be91cf7875b

SHA512
38c489ff17839b26b39b2fd71fbc29105817639ed7a193d405e4f0b51775ca3eb88582659209fdeaaceabca76d71a536ee186ff5f6b1c0370b4b9364a45d7e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6693807.exe

Filesize
962KB

MD5
60f89769a9709d1b07e150634ed95d3b

SHA1
eaff528dbf18cb5ddca334e40069c575979a7c81

SHA256
798f72e447103ba309770118e64ae3f3f65ebbd8f7a266f780717be91cf7875b

SHA512
38c489ff17839b26b39b2fd71fbc29105817639ed7a193d405e4f0b51775ca3eb88582659209fdeaaceabca76d71a536ee186ff5f6b1c0370b4b9364a45d7e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6693807.exe

Filesize
962KB

MD5
60f89769a9709d1b07e150634ed95d3b

SHA1
eaff528dbf18cb5ddca334e40069c575979a7c81

SHA256
798f72e447103ba309770118e64ae3f3f65ebbd8f7a266f780717be91cf7875b

SHA512
38c489ff17839b26b39b2fd71fbc29105817639ed7a193d405e4f0b51775ca3eb88582659209fdeaaceabca76d71a536ee186ff5f6b1c0370b4b9364a45d7e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6693807.exe

Filesize
962KB

MD5
60f89769a9709d1b07e150634ed95d3b

SHA1
eaff528dbf18cb5ddca334e40069c575979a7c81

SHA256
798f72e447103ba309770118e64ae3f3f65ebbd8f7a266f780717be91cf7875b

SHA512
38c489ff17839b26b39b2fd71fbc29105817639ed7a193d405e4f0b51775ca3eb88582659209fdeaaceabca76d71a536ee186ff5f6b1c0370b4b9364a45d7e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6693807.exe

Filesize
962KB

MD5
60f89769a9709d1b07e150634ed95d3b

SHA1
eaff528dbf18cb5ddca334e40069c575979a7c81

SHA256
798f72e447103ba309770118e64ae3f3f65ebbd8f7a266f780717be91cf7875b

SHA512
38c489ff17839b26b39b2fd71fbc29105817639ed7a193d405e4f0b51775ca3eb88582659209fdeaaceabca76d71a536ee186ff5f6b1c0370b4b9364a45d7e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1141361.exe

Filesize
602KB

MD5
7fd91c8be41bee087823fbe6cc8dacb5

SHA1
eeb39c47c9177661f898d9df037c8b9475e425a9

SHA256
4ad915ff37e8b1d8d834678e9abb7dd43fc2cd54a0c1ad114ab90642a5f71b5d

SHA512
82b4352ec5543d84a0c2006c75ff02cd3c4e07a19c32dd1b8e9e88549933595f714ce61b357fe042737da568cf11310b21197df5ed008a8cfa45d5faaac2b232

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1141361.exe

Filesize
602KB

MD5
7fd91c8be41bee087823fbe6cc8dacb5

SHA1
eeb39c47c9177661f898d9df037c8b9475e425a9

SHA256
4ad915ff37e8b1d8d834678e9abb7dd43fc2cd54a0c1ad114ab90642a5f71b5d

SHA512
82b4352ec5543d84a0c2006c75ff02cd3c4e07a19c32dd1b8e9e88549933595f714ce61b357fe042737da568cf11310b21197df5ed008a8cfa45d5faaac2b232

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4904624.exe

Filesize
328KB

MD5
511c4e26875cc1934d83f83d19b738ce

SHA1
71f54766144de0b7ce1f8fe980a99231a5aaaedf

SHA256
e43669ce87da1ac0642c71af2396af11a64ba8344bf0a11c4b8ad7c221aa98e4

SHA512
f7c7dd8e65107db2690bf28b7634f1786a4debeb44d3579f09e8570ea712fa762ae6f89b0e076b338005dc3fdb481d6afc043529db30e0e18c73997aea98d0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4904624.exe

Filesize
328KB

MD5
511c4e26875cc1934d83f83d19b738ce

SHA1
71f54766144de0b7ce1f8fe980a99231a5aaaedf

SHA256
e43669ce87da1ac0642c71af2396af11a64ba8344bf0a11c4b8ad7c221aa98e4

SHA512
f7c7dd8e65107db2690bf28b7634f1786a4debeb44d3579f09e8570ea712fa762ae6f89b0e076b338005dc3fdb481d6afc043529db30e0e18c73997aea98d0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7156770.exe

Filesize
280KB

MD5
216a067524c52ec863fb6de8e0e7cad1

SHA1
5ee2c4641bc0b5e5323c1f6c044b773672c52002

SHA256
e450678b2142910f193c3c3277807a1fa8554e1a717f454ee08b66d96fe740ba

SHA512
788a9d98430c22e27de7e176aff975ee8d2a6f607077f569c294e7e7a9305434413fe5f1b29a6beee886bb14f3532ee61b62ae18bd3405ce11f877865d445b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7156770.exe

Filesize
280KB

MD5
216a067524c52ec863fb6de8e0e7cad1

SHA1
5ee2c4641bc0b5e5323c1f6c044b773672c52002

SHA256
e450678b2142910f193c3c3277807a1fa8554e1a717f454ee08b66d96fe740ba

SHA512
788a9d98430c22e27de7e176aff975ee8d2a6f607077f569c294e7e7a9305434413fe5f1b29a6beee886bb14f3532ee61b62ae18bd3405ce11f877865d445b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6242223.exe

Filesize
194KB

MD5
d9305c34d731e47e007eba3a19a1c266

SHA1
8e6b94eba6bcc94737decdb28c021e82b7bdf26c

SHA256
817fc08af57e8b0905a8e1ba078ecc0ec5ef5e5d722106d1486a705479cd5ba9

SHA512
c0d8556eb2a12740eb4fe754bcdf753ecf6c18f7dc1d355416e3bd7d08f8d4b644a7806ad78da50c64c4aedbd1b506476af46a8e554bda335f25f2909e421962

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6242223.exe

Filesize
194KB

MD5
d9305c34d731e47e007eba3a19a1c266

SHA1
8e6b94eba6bcc94737decdb28c021e82b7bdf26c

SHA256
817fc08af57e8b0905a8e1ba078ecc0ec5ef5e5d722106d1486a705479cd5ba9

SHA512
c0d8556eb2a12740eb4fe754bcdf753ecf6c18f7dc1d355416e3bd7d08f8d4b644a7806ad78da50c64c4aedbd1b506476af46a8e554bda335f25f2909e421962

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4905930.exe

Filesize
145KB

MD5
f80fcb77b0fcbad9d593c9cb86854175

SHA1
e17aee640d12d8f1eb231d7b1535ee4d10fd1711

SHA256
2edd32ca7fb4c8af73f795a8cff0b040abe3129b9e5d6894bc93c00bf1d0fa74

SHA512
3a1fda1877b240f05868fa07bdde6e14d201cee2165263ad1fa862a1c31ffd96c8b6aabd85703d9d4fcb682a7ba91defe4488295f0494c60b310bd3aa92d0516

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4905930.exe

Filesize
145KB

MD5
f80fcb77b0fcbad9d593c9cb86854175

SHA1
e17aee640d12d8f1eb231d7b1535ee4d10fd1711

SHA256
2edd32ca7fb4c8af73f795a8cff0b040abe3129b9e5d6894bc93c00bf1d0fa74

SHA512
3a1fda1877b240f05868fa07bdde6e14d201cee2165263ad1fa862a1c31ffd96c8b6aabd85703d9d4fcb682a7ba91defe4488295f0494c60b310bd3aa92d0516

Download Submit
memory/496-384-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/496-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/496-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/496-372-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/496-373-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/496-388-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2776-142-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2780-399-0x00000266FB440000-0x00000266FB450000-memory.dmp

Filesize
64KB

Download
memory/3668-390-0x000002621ED60000-0x000002621EDFA000-memory.dmp

Filesize
616KB

Download
memory/3668-393-0x0000026239440000-0x0000026239450000-memory.dmp

Filesize
64KB

Download
memory/3744-207-0x0000000000B70000-0x0000000000C68000-memory.dmp

Filesize
992KB

Download
memory/3744-211-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/3912-186-0x0000000007280000-0x00000000077AC000-memory.dmp

Filesize
5.2MB

Download
memory/3912-159-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3912-153-0x0000000000940000-0x000000000096A000-memory.dmp

Filesize
168KB

Download
memory/3912-154-0x0000000005730000-0x0000000005D36000-memory.dmp

Filesize
6.0MB

Download
memory/3912-155-0x0000000005260000-0x000000000536A000-memory.dmp

Filesize
1.0MB

Download
memory/3912-156-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/3912-157-0x0000000005220000-0x000000000525E000-memory.dmp

Filesize
248KB

Download
memory/3912-185-0x0000000006B80000-0x0000000006D42000-memory.dmp

Filesize
1.8MB

Download
memory/3912-158-0x00000000051B0000-0x00000000051FB000-memory.dmp

Filesize
300KB

Download
memory/3912-188-0x0000000006400000-0x0000000006476000-memory.dmp

Filesize
472KB

Download
memory/3912-187-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3912-189-0x0000000006480000-0x00000000064D0000-memory.dmp

Filesize
320KB

Download
memory/3912-168-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/3912-170-0x0000000006680000-0x0000000006B7E000-memory.dmp

Filesize
5.0MB

Download
memory/3912-169-0x00000000060E0000-0x0000000006172000-memory.dmp

Filesize
584KB

Download
memory/4448-195-0x0000000004400000-0x000000000442A000-memory.dmp

Filesize
168KB

Download
memory/4448-208-0x0000000008910000-0x0000000008920000-memory.dmp

Filesize
64KB

Download
memory/4800-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4800-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4800-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4800-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4800-243-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5068-248-0x0000000007AA0000-0x0000000007AB0000-memory.dmp

Filesize
64KB

Download