gurcu | a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2023 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044.exe
Size

1.0MB
MD5

526c4ea338e9fa8a04f26d8f24bba7b7
SHA1

2f08ad67e3767882c10f5441d1f247582826969d
SHA256

a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044
SHA512

4a8bbd1bd472d90f8431f6a4963f93679e0eee7cc5859af47ae9f7fc3f37f017df31e5a6f0854715eebdac886647424ed382c7005224565d9fe88a8f55168a4b
SSDEEP

24576:8yYPgVz2XovigwwzNQsAEH50TfqtR31ay9UQy0jht:rYPgVz5viJaasAEHDtRFay9UK

Score

10^/10

gurcu redline fash lina collection discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lina

83.97.73.122:19062

Attributes

auth_value
13523aee5d194d7716b22eeab7de10ad

Extracted

Family

redline

Botnet

fash

83.97.73.122:19062

Attributes

auth_value
dd7165bcd22b0ed3df426d944e12f136

Extracted

Family

gurcu

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	k2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	k2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	k2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s6583997.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	k2.exe

Executes dropped EXE 20 IoCs

pid	Process
5096	z7431972.exe
3820	z1410980.exe
3140	o7658505.exe
4864	p6461947.exe
2764	r3569960.exe
4544	s6583997.exe
1544	s6583997.exe
4688	legends.exe
4276	legends.exe
264	k2.exe
4448	k2.exe
3420	tor.exe
4680	k2.exe
3068	legends.exe
392	tor.exe
1144	legends.exe
1132	k2.exe
4100	legends.exe
1536	tor.exe
4316	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7431972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7431972.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1410980.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1410980.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
83	ip-api.com

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3140 set thread context of 4220	3140	o7658505.exe	87
PID 2764 set thread context of 1108	2764	r3569960.exe	97
PID 4544 set thread context of 1544	4544	s6583997.exe	99
PID 4688 set thread context of 4276	4688	legends.exe	101
PID 3068 set thread context of 1144	3068	legends.exe	127
PID 4100 set thread context of 4316	4100	legends.exe	136

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
648	4680	WerFault.exe	125
4696	1132	WerFault.exe	134

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
396	schtasks.exe
2336	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4100	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4220	AppLaunch.exe
4220	AppLaunch.exe
4864	p6461947.exe
4864	p6461947.exe
1108	AppLaunch.exe
1108	AppLaunch.exe
4448	k2.exe
4448	k2.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4220	AppLaunch.exe
Token: SeDebugPrivilege	4864	p6461947.exe
Token: SeDebugPrivilege	4544	s6583997.exe
Token: SeDebugPrivilege	4688	legends.exe
Token: SeDebugPrivilege	1108	AppLaunch.exe
Token: SeDebugPrivilege	264	k2.exe
Token: SeDebugPrivilege	4448	k2.exe
Token: SeDebugPrivilege	4680	k2.exe
Token: SeDebugPrivilege	3068	legends.exe
Token: SeDebugPrivilege	1132	k2.exe
Token: SeDebugPrivilege	4100	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1544	s6583997.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 5096	4264	a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044.exe	83
PID 4264 wrote to memory of 5096	4264	a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044.exe	83
PID 4264 wrote to memory of 5096	4264	a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044.exe	83
PID 5096 wrote to memory of 3820	5096	z7431972.exe	84
PID 5096 wrote to memory of 3820	5096	z7431972.exe	84
PID 5096 wrote to memory of 3820	5096	z7431972.exe	84
PID 3820 wrote to memory of 3140	3820	z1410980.exe	85
PID 3820 wrote to memory of 3140	3820	z1410980.exe	85
PID 3820 wrote to memory of 3140	3820	z1410980.exe	85
PID 3140 wrote to memory of 4220	3140	o7658505.exe	87
PID 3140 wrote to memory of 4220	3140	o7658505.exe	87
PID 3140 wrote to memory of 4220	3140	o7658505.exe	87
PID 3140 wrote to memory of 4220	3140	o7658505.exe	87
PID 3140 wrote to memory of 4220	3140	o7658505.exe	87
PID 3820 wrote to memory of 4864	3820	z1410980.exe	88
PID 3820 wrote to memory of 4864	3820	z1410980.exe	88
PID 3820 wrote to memory of 4864	3820	z1410980.exe	88
PID 5096 wrote to memory of 2764	5096	z7431972.exe	95
PID 5096 wrote to memory of 2764	5096	z7431972.exe	95
PID 5096 wrote to memory of 2764	5096	z7431972.exe	95
PID 2764 wrote to memory of 1108	2764	r3569960.exe	97
PID 2764 wrote to memory of 1108	2764	r3569960.exe	97
PID 2764 wrote to memory of 1108	2764	r3569960.exe	97
PID 2764 wrote to memory of 1108	2764	r3569960.exe	97
PID 2764 wrote to memory of 1108	2764	r3569960.exe	97
PID 4264 wrote to memory of 4544	4264	a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044.exe	98
PID 4264 wrote to memory of 4544	4264	a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044.exe	98
PID 4264 wrote to memory of 4544	4264	a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044.exe	98
PID 4544 wrote to memory of 1544	4544	s6583997.exe	99
PID 4544 wrote to memory of 1544	4544	s6583997.exe	99
PID 4544 wrote to memory of 1544	4544	s6583997.exe	99
PID 4544 wrote to memory of 1544	4544	s6583997.exe	99
PID 4544 wrote to memory of 1544	4544	s6583997.exe	99
PID 4544 wrote to memory of 1544	4544	s6583997.exe	99
PID 4544 wrote to memory of 1544	4544	s6583997.exe	99
PID 4544 wrote to memory of 1544	4544	s6583997.exe	99
PID 4544 wrote to memory of 1544	4544	s6583997.exe	99
PID 4544 wrote to memory of 1544	4544	s6583997.exe	99
PID 1544 wrote to memory of 4688	1544	s6583997.exe	100
PID 1544 wrote to memory of 4688	1544	s6583997.exe	100
PID 1544 wrote to memory of 4688	1544	s6583997.exe	100
PID 4688 wrote to memory of 4276	4688	legends.exe	101
PID 4688 wrote to memory of 4276	4688	legends.exe	101
PID 4688 wrote to memory of 4276	4688	legends.exe	101
PID 4688 wrote to memory of 4276	4688	legends.exe	101
PID 4688 wrote to memory of 4276	4688	legends.exe	101
PID 4688 wrote to memory of 4276	4688	legends.exe	101
PID 4688 wrote to memory of 4276	4688	legends.exe	101
PID 4688 wrote to memory of 4276	4688	legends.exe	101
PID 4688 wrote to memory of 4276	4688	legends.exe	101
PID 4688 wrote to memory of 4276	4688	legends.exe	101
PID 4276 wrote to memory of 396	4276	legends.exe	103
PID 4276 wrote to memory of 396	4276	legends.exe	103
PID 4276 wrote to memory of 396	4276	legends.exe	103
PID 4276 wrote to memory of 3444	4276	legends.exe	105
PID 4276 wrote to memory of 3444	4276	legends.exe	105
PID 4276 wrote to memory of 3444	4276	legends.exe	105
PID 3444 wrote to memory of 4376	3444	cmd.exe	107
PID 3444 wrote to memory of 4376	3444	cmd.exe	107
PID 3444 wrote to memory of 4376	3444	cmd.exe	107
PID 3444 wrote to memory of 4848	3444	cmd.exe	108
PID 3444 wrote to memory of 4848	3444	cmd.exe	108
PID 3444 wrote to memory of 4848	3444	cmd.exe	108
PID 3444 wrote to memory of 1744	3444	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

C:\Users\Admin\AppData\Local\Temp\a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044.exe
"C:\Users\Admin\AppData\Local\Temp\a6dadc69a39cb9764e698b642c25d1bd5574e0abb716fdc505a324d9a9ee1044.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7431972.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7431972.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1410980.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1410980.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7658505.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7658505.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6461947.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6461947.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3569960.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3569960.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6583997.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6583997.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6583997.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6583997.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4276
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:396
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:4192
      - C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        7⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1332
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:4100
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
        
        "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:4448
        
        C:\Windows\System32\tar.exe
        
        "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpF4F4.tmp" -C "C:\Users\Admin\AppData\Local\x22nso3f7r"
        9⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
        
        "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
        9⤵
        Executes dropped EXE
        
        PID:3420
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:1972

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4680
- C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
  "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4680 -s 1836
  2⤵
  - Program crash
  PID:648

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3068
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:1144

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4680 -ip 4680
1⤵
PID:4744

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1132
- C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
  "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1132 -s 2108
  2⤵
  - Program crash
  PID:4696

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4100
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 1132 -ip 1132
1⤵
PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k2.exe.log

Filesize
1KB

MD5
fc1be6f3f52d5c841af91f8fc3f790cb

SHA1
ac79b4229e0a0ce378ae22fc6104748c5f234511

SHA256
6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

SHA512
2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
2bdfa3c153678d213aac1ce1fd6c39b8

SHA1
e23e506710b898efd8a65caf4671c315792f0f6e

SHA256
627d4443fa646c23f279c12a443399047069c9edee297475a405d01270dd7347

SHA512
c5928d9ee387b32be90141ce048f9ff8a086e2df2fe563922d5f7e47bafa91d9eb99a08fc3e608c4d73f2d60ebffd89693cf71061110ad98e67fcc6de209bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
2bdfa3c153678d213aac1ce1fd6c39b8

SHA1
e23e506710b898efd8a65caf4671c315792f0f6e

SHA256
627d4443fa646c23f279c12a443399047069c9edee297475a405d01270dd7347

SHA512
c5928d9ee387b32be90141ce048f9ff8a086e2df2fe563922d5f7e47bafa91d9eb99a08fc3e608c4d73f2d60ebffd89693cf71061110ad98e67fcc6de209bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
2bdfa3c153678d213aac1ce1fd6c39b8

SHA1
e23e506710b898efd8a65caf4671c315792f0f6e

SHA256
627d4443fa646c23f279c12a443399047069c9edee297475a405d01270dd7347

SHA512
c5928d9ee387b32be90141ce048f9ff8a086e2df2fe563922d5f7e47bafa91d9eb99a08fc3e608c4d73f2d60ebffd89693cf71061110ad98e67fcc6de209bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
2bdfa3c153678d213aac1ce1fd6c39b8

SHA1
e23e506710b898efd8a65caf4671c315792f0f6e

SHA256
627d4443fa646c23f279c12a443399047069c9edee297475a405d01270dd7347

SHA512
c5928d9ee387b32be90141ce048f9ff8a086e2df2fe563922d5f7e47bafa91d9eb99a08fc3e608c4d73f2d60ebffd89693cf71061110ad98e67fcc6de209bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
2bdfa3c153678d213aac1ce1fd6c39b8

SHA1
e23e506710b898efd8a65caf4671c315792f0f6e

SHA256
627d4443fa646c23f279c12a443399047069c9edee297475a405d01270dd7347

SHA512
c5928d9ee387b32be90141ce048f9ff8a086e2df2fe563922d5f7e47bafa91d9eb99a08fc3e608c4d73f2d60ebffd89693cf71061110ad98e67fcc6de209bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
2bdfa3c153678d213aac1ce1fd6c39b8

SHA1
e23e506710b898efd8a65caf4671c315792f0f6e

SHA256
627d4443fa646c23f279c12a443399047069c9edee297475a405d01270dd7347

SHA512
c5928d9ee387b32be90141ce048f9ff8a086e2df2fe563922d5f7e47bafa91d9eb99a08fc3e608c4d73f2d60ebffd89693cf71061110ad98e67fcc6de209bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
2bdfa3c153678d213aac1ce1fd6c39b8

SHA1
e23e506710b898efd8a65caf4671c315792f0f6e

SHA256
627d4443fa646c23f279c12a443399047069c9edee297475a405d01270dd7347

SHA512
c5928d9ee387b32be90141ce048f9ff8a086e2df2fe563922d5f7e47bafa91d9eb99a08fc3e608c4d73f2d60ebffd89693cf71061110ad98e67fcc6de209bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
2bdfa3c153678d213aac1ce1fd6c39b8

SHA1
e23e506710b898efd8a65caf4671c315792f0f6e

SHA256
627d4443fa646c23f279c12a443399047069c9edee297475a405d01270dd7347

SHA512
c5928d9ee387b32be90141ce048f9ff8a086e2df2fe563922d5f7e47bafa91d9eb99a08fc3e608c4d73f2d60ebffd89693cf71061110ad98e67fcc6de209bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6583997.exe

Filesize
962KB

MD5
2bdfa3c153678d213aac1ce1fd6c39b8

SHA1
e23e506710b898efd8a65caf4671c315792f0f6e

SHA256
627d4443fa646c23f279c12a443399047069c9edee297475a405d01270dd7347

SHA512
c5928d9ee387b32be90141ce048f9ff8a086e2df2fe563922d5f7e47bafa91d9eb99a08fc3e608c4d73f2d60ebffd89693cf71061110ad98e67fcc6de209bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6583997.exe

Filesize
962KB

MD5
2bdfa3c153678d213aac1ce1fd6c39b8

SHA1
e23e506710b898efd8a65caf4671c315792f0f6e

SHA256
627d4443fa646c23f279c12a443399047069c9edee297475a405d01270dd7347

SHA512
c5928d9ee387b32be90141ce048f9ff8a086e2df2fe563922d5f7e47bafa91d9eb99a08fc3e608c4d73f2d60ebffd89693cf71061110ad98e67fcc6de209bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6583997.exe

Filesize
962KB

MD5
2bdfa3c153678d213aac1ce1fd6c39b8

SHA1
e23e506710b898efd8a65caf4671c315792f0f6e

SHA256
627d4443fa646c23f279c12a443399047069c9edee297475a405d01270dd7347

SHA512
c5928d9ee387b32be90141ce048f9ff8a086e2df2fe563922d5f7e47bafa91d9eb99a08fc3e608c4d73f2d60ebffd89693cf71061110ad98e67fcc6de209bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7431972.exe

Filesize
601KB

MD5
30ef2b18bc1f63a81c4c6afde909fb7f

SHA1
67d07f933e6e1d4166c910794ca35532a9d227f7

SHA256
e409e1dc9fafe278bd6c755d0fde6e4e21f866ce0df1a64e233da495fdaa7785

SHA512
044ceccc438dff62591da809875fd922e948bb88df6dbc938ae1fcf03ca0cd245aff1223d4d810148f9bed271a2f08afd64b8567fb74cdf8cc98d25a7ebb2df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7431972.exe

Filesize
601KB

MD5
30ef2b18bc1f63a81c4c6afde909fb7f

SHA1
67d07f933e6e1d4166c910794ca35532a9d227f7

SHA256
e409e1dc9fafe278bd6c755d0fde6e4e21f866ce0df1a64e233da495fdaa7785

SHA512
044ceccc438dff62591da809875fd922e948bb88df6dbc938ae1fcf03ca0cd245aff1223d4d810148f9bed271a2f08afd64b8567fb74cdf8cc98d25a7ebb2df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3569960.exe

Filesize
328KB

MD5
4d843027d9bf711f1bf6a0af0a5b223a

SHA1
d3114640ec663b90771d9c2428ed9c0e991cb8bc

SHA256
dc3c4d06708a47708297fdacbf80080ab00738c49b98cd4d125d13681065932b

SHA512
cea44b89df9e40498dbd367b6e1cbfdb45af499a8276cef7cf242b0313db6cedc3c82d22d06dddff70dc3d8c88717ed71571134e9b8ec9527d22f26ff1d0c00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3569960.exe

Filesize
328KB

MD5
4d843027d9bf711f1bf6a0af0a5b223a

SHA1
d3114640ec663b90771d9c2428ed9c0e991cb8bc

SHA256
dc3c4d06708a47708297fdacbf80080ab00738c49b98cd4d125d13681065932b

SHA512
cea44b89df9e40498dbd367b6e1cbfdb45af499a8276cef7cf242b0313db6cedc3c82d22d06dddff70dc3d8c88717ed71571134e9b8ec9527d22f26ff1d0c00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1410980.exe

Filesize
280KB

MD5
8586eecd28397de654a54e68083271aa

SHA1
dddf377aa464f7f73cea1de44dccc8f4e5a89f8a

SHA256
961f03d7c7a31dec9978c8c18513495744d0faf79c680f8511a341975368edac

SHA512
487a7d22de6653a6637f4fb82afda94dfa4c3a12272d299d147746dae77b600d38d8959b225d7889e0df63a161cea902391075f983e2144b3488246f52b14339

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1410980.exe

Filesize
280KB

MD5
8586eecd28397de654a54e68083271aa

SHA1
dddf377aa464f7f73cea1de44dccc8f4e5a89f8a

SHA256
961f03d7c7a31dec9978c8c18513495744d0faf79c680f8511a341975368edac

SHA512
487a7d22de6653a6637f4fb82afda94dfa4c3a12272d299d147746dae77b600d38d8959b225d7889e0df63a161cea902391075f983e2144b3488246f52b14339

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7658505.exe

Filesize
194KB

MD5
de29b1d08dc876715ecc5decbd62d1f1

SHA1
9702174712d37cdf801899310d4ef2e9dcf525b5

SHA256
94cc9d4041dc080e2ae2eb9231dcec68eb17b354fbb1efc4c2ddefa673138412

SHA512
dc03496dcd4f68026274a05184e086924712afb0cf80e7caa967179cfb16b2e256964f8572c57722506c58b14a1d08327fe1e22ee8ab1f4361da5d336484d141

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7658505.exe

Filesize
194KB

MD5
de29b1d08dc876715ecc5decbd62d1f1

SHA1
9702174712d37cdf801899310d4ef2e9dcf525b5

SHA256
94cc9d4041dc080e2ae2eb9231dcec68eb17b354fbb1efc4c2ddefa673138412

SHA512
dc03496dcd4f68026274a05184e086924712afb0cf80e7caa967179cfb16b2e256964f8572c57722506c58b14a1d08327fe1e22ee8ab1f4361da5d336484d141

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6461947.exe

Filesize
145KB

MD5
295954d6e64d824b5b5245703a240ca5

SHA1
e541f2ad5ef64f4742486537480d8ffaf2fc6a4a

SHA256
065802f9fc36965dd7f41b81f3d48712ef90cd10721555d4f343fcc5e68539f7

SHA512
6ade1497dd2ecf7f0e03917316302b385dac0092b156609ed1483542f943937108a6f6ed06943a6d26b84b27546323850c694110ba6c0c0fe7cf202efdb2a718

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6461947.exe

Filesize
145KB

MD5
295954d6e64d824b5b5245703a240ca5

SHA1
e541f2ad5ef64f4742486537480d8ffaf2fc6a4a

SHA256
065802f9fc36965dd7f41b81f3d48712ef90cd10721555d4f343fcc5e68539f7

SHA512
6ade1497dd2ecf7f0e03917316302b385dac0092b156609ed1483542f943937108a6f6ed06943a6d26b84b27546323850c694110ba6c0c0fe7cf202efdb2a718

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF4F4.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdescs.new

Filesize
11.4MB

MD5
5754b2941647ba96c8065460010d858f

SHA1
337a50666b8adff992d239fc82fc77c9a4883de5

SHA256
bd4e15c6fdc6da7b7e1abaf928ad0ca7ff8100f25d3eb11421acda35643c002b

SHA512
50b9f714f984e51e97be7b7257e87fd6a07c43fbc42da218c0887969743ed7c4742a92265072f7e91eb88b9dc8c7b96084f694845e415072d0a280dce84c46f5

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\data\unverified-microdesc-consensus

Filesize
2.2MB

MD5
92f59091e42f6e0d5e8e3b75c907a004

SHA1
8bc3ffded25bf6bff0e34076ce7bba4ccf8a3ada

SHA256
ad87d7e06bcda8e2cbcb80b235b4585caf74f2bf72d7e0b26606fa5133398a51

SHA512
5a044fe31ac151e0c86ba296aacec41a3a7509f106011c6eb04f0dbfb1326250978355a482b33cbb362926bd33476e4eb67e437a956eb37d971c6da0042ac81b

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\host\hostname

Filesize
64B

MD5
6391c51cbe66a20d91062a2d351e2b5a

SHA1
61736f2b03a26c356d7cac254c536c3e6f8c7663

SHA256
ae4be59c9d7c01acc5efc88789f580e8a52257100aa5a0e429b82c25a5e867cd

SHA512
2968d97838e4cc646a2741e949130ffc22a3484ba33162bd486b23b878ec8c9f24898ea7bae50821330ffdad523f8bf36ac6236ee9ba6c0a74aa92340b9faa24

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\port.dat

Filesize
4B

MD5
c457d7ae48d08a6b84bc0b1b9bd7d474

SHA1
e7a7042e5f77281abcc18c30e7197a1ada738d31

SHA256
0709e1008834c2ca8648376ac62d74ac8df5457069cbfedf2b0776dab07a3c5b

SHA512
67b4ec9fa754d998fdfff092b102e30cdd9c35049eb1eadce804830ac09aeeeb49ef69fce7938ebef9936157cb99a174887cb7cd54dfef96fe554fcc4da81217

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt

Filesize
218B

MD5
deaeb306c85d1113f993e1fc56bfd29a

SHA1
a99bbd74911157e0d43c438f465865d1757db126

SHA256
e736c4aaf41ffbdfbffcb3f34f47c073727af41336a65b3a933ee51e971d0fef

SHA512
8ebae2b513b8d397c7281a0b9788351c30a2227281207b2cbb4555cb9d1ac8a1ef1d9d40e74d6c0e251478c2256e30ec35e7abff4a0def0cd2a65c3a51dc4485

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/264-248-0x000001EAE72A0000-0x000001EAE72B0000-memory.dmp

Filesize
64KB

Download
memory/264-247-0x000001EACCBE0000-0x000001EACCC7A000-memory.dmp

Filesize
616KB

Download
memory/1108-194-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/1108-183-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1132-356-0x000002144F150000-0x000002144F160000-memory.dmp

Filesize
64KB

Download
memory/1144-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1144-323-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1144-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1544-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1544-199-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1544-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1544-195-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1544-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4100-357-0x0000000007100000-0x0000000007110000-memory.dmp

Filesize
64KB

Download
memory/4220-155-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4276-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4276-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4276-235-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4276-350-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4276-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4276-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4276-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4316-362-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4316-360-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4316-361-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4448-296-0x00000236B8580000-0x00000236B8590000-memory.dmp

Filesize
64KB

Download
memory/4448-257-0x00000236B8580000-0x00000236B8590000-memory.dmp

Filesize
64KB

Download
memory/4544-192-0x00000000000F0000-0x00000000001E8000-memory.dmp

Filesize
992KB

Download
memory/4544-193-0x0000000006E30000-0x0000000006E40000-memory.dmp

Filesize
64KB

Download
memory/4680-315-0x000001E5EB7A0000-0x000001E5EB7B0000-memory.dmp

Filesize
64KB

Download
memory/4688-216-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4864-173-0x0000000007650000-0x0000000007B7C000-memory.dmp

Filesize
5.2MB

Download
memory/4864-171-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/4864-172-0x0000000006F50000-0x0000000007112000-memory.dmp

Filesize
1.8MB

Download
memory/4864-170-0x00000000067D0000-0x0000000006D74000-memory.dmp

Filesize
5.6MB

Download
memory/4864-169-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/4864-168-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/4864-167-0x0000000005730000-0x000000000576C000-memory.dmp

Filesize
240KB

Download
memory/4864-166-0x00000000056B0000-0x00000000056C2000-memory.dmp

Filesize
72KB

Download
memory/4864-165-0x0000000005780000-0x000000000588A000-memory.dmp

Filesize
1.0MB

Download
memory/4864-164-0x0000000005C00000-0x0000000006218000-memory.dmp

Filesize
6.1MB

Download
memory/4864-163-0x0000000000CE0000-0x0000000000D0A000-memory.dmp

Filesize
168KB

Download
memory/4864-175-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/4864-176-0x0000000006E00000-0x0000000006E76000-memory.dmp

Filesize
472KB

Download
memory/4864-177-0x0000000006E80000-0x0000000006ED0000-memory.dmp

Filesize
320KB

Download