gurcu | b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5

Analysis

max time kernel
33s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2023, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5.exe
Size

1.0MB
MD5

c9e4f65ed88d9bd1797d0f209bc9adcb
SHA1

1d91ebd9cc2f0f41d92932739a9e4a7e1783e489
SHA256

b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5
SHA512

7f4e1579c06af9274d66312b8f54fca0e733eceaa646081e049dbef78bf95326225db4e253380532baedd5f0a7c1d80a6db756860d13b116b376735ec5be9b0c
SSDEEP

24576:ryi067E+0g0pXpry90yflOVy1saTaqDPsB:eiMNyiqB37

Score

10^/10

gurcu redline fash lina discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lina

83.97.73.122:19062

Attributes

auth_value
13523aee5d194d7716b22eeab7de10ad

Extracted

Family

redline

Botnet

fash

83.97.73.122:19062

Attributes

auth_value
dd7165bcd22b0ed3df426d944e12f136

Extracted

Family

gurcu

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	s4916137.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	k2.exe

Executes dropped EXE 11 IoCs

pid	Process
4836	z7900213.exe
2752	z6699009.exe
4016	o3257181.exe
1168	p2353106.exe
1888	r8806620.exe
4392	s4916137.exe
4088	s4916137.exe
4608	legends.exe
2376	legends.exe
1028	k2.exe
2312	k2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7900213.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7900213.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6699009.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6699009.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 3128	4016	o3257181.exe	90
PID 1888 set thread context of 1992	1888	r8806620.exe	100
PID 4392 set thread context of 4088	4392	s4916137.exe	102
PID 4608 set thread context of 2376	4608	legends.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3908	schtasks.exe
860	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3120	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3128	AppLaunch.exe
3128	AppLaunch.exe
1168	p2353106.exe
1168	p2353106.exe
1992	AppLaunch.exe
1992	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	AppLaunch.exe
Token: SeDebugPrivilege	1168	p2353106.exe
Token: SeDebugPrivilege	4392	s4916137.exe
Token: SeDebugPrivilege	4608	legends.exe
Token: SeDebugPrivilege	1992	AppLaunch.exe
Token: SeDebugPrivilege	1028	k2.exe
Token: SeDebugPrivilege	2312	k2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4088	s4916137.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 4836	3708	b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5.exe	86
PID 3708 wrote to memory of 4836	3708	b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5.exe	86
PID 3708 wrote to memory of 4836	3708	b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5.exe	86
PID 4836 wrote to memory of 2752	4836	z7900213.exe	87
PID 4836 wrote to memory of 2752	4836	z7900213.exe	87
PID 4836 wrote to memory of 2752	4836	z7900213.exe	87
PID 2752 wrote to memory of 4016	2752	z6699009.exe	88
PID 2752 wrote to memory of 4016	2752	z6699009.exe	88
PID 2752 wrote to memory of 4016	2752	z6699009.exe	88
PID 4016 wrote to memory of 3128	4016	o3257181.exe	90
PID 4016 wrote to memory of 3128	4016	o3257181.exe	90
PID 4016 wrote to memory of 3128	4016	o3257181.exe	90
PID 4016 wrote to memory of 3128	4016	o3257181.exe	90
PID 4016 wrote to memory of 3128	4016	o3257181.exe	90
PID 2752 wrote to memory of 1168	2752	z6699009.exe	91
PID 2752 wrote to memory of 1168	2752	z6699009.exe	91
PID 2752 wrote to memory of 1168	2752	z6699009.exe	91
PID 4836 wrote to memory of 1888	4836	z7900213.exe	98
PID 4836 wrote to memory of 1888	4836	z7900213.exe	98
PID 4836 wrote to memory of 1888	4836	z7900213.exe	98
PID 1888 wrote to memory of 1992	1888	r8806620.exe	100
PID 1888 wrote to memory of 1992	1888	r8806620.exe	100
PID 1888 wrote to memory of 1992	1888	r8806620.exe	100
PID 1888 wrote to memory of 1992	1888	r8806620.exe	100
PID 1888 wrote to memory of 1992	1888	r8806620.exe	100
PID 3708 wrote to memory of 4392	3708	b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5.exe	101
PID 3708 wrote to memory of 4392	3708	b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5.exe	101
PID 3708 wrote to memory of 4392	3708	b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5.exe	101
PID 4392 wrote to memory of 4088	4392	s4916137.exe	102
PID 4392 wrote to memory of 4088	4392	s4916137.exe	102
PID 4392 wrote to memory of 4088	4392	s4916137.exe	102
PID 4392 wrote to memory of 4088	4392	s4916137.exe	102
PID 4392 wrote to memory of 4088	4392	s4916137.exe	102
PID 4392 wrote to memory of 4088	4392	s4916137.exe	102
PID 4392 wrote to memory of 4088	4392	s4916137.exe	102
PID 4392 wrote to memory of 4088	4392	s4916137.exe	102
PID 4392 wrote to memory of 4088	4392	s4916137.exe	102
PID 4392 wrote to memory of 4088	4392	s4916137.exe	102
PID 4088 wrote to memory of 4608	4088	s4916137.exe	104
PID 4088 wrote to memory of 4608	4088	s4916137.exe	104
PID 4088 wrote to memory of 4608	4088	s4916137.exe	104
PID 4608 wrote to memory of 2376	4608	legends.exe	105
PID 4608 wrote to memory of 2376	4608	legends.exe	105
PID 4608 wrote to memory of 2376	4608	legends.exe	105
PID 4608 wrote to memory of 2376	4608	legends.exe	105
PID 4608 wrote to memory of 2376	4608	legends.exe	105
PID 4608 wrote to memory of 2376	4608	legends.exe	105
PID 4608 wrote to memory of 2376	4608	legends.exe	105
PID 4608 wrote to memory of 2376	4608	legends.exe	105
PID 4608 wrote to memory of 2376	4608	legends.exe	105
PID 4608 wrote to memory of 2376	4608	legends.exe	105
PID 2376 wrote to memory of 3908	2376	legends.exe	106
PID 2376 wrote to memory of 3908	2376	legends.exe	106
PID 2376 wrote to memory of 3908	2376	legends.exe	106
PID 2376 wrote to memory of 2912	2376	legends.exe	108
PID 2376 wrote to memory of 2912	2376	legends.exe	108
PID 2376 wrote to memory of 2912	2376	legends.exe	108
PID 2912 wrote to memory of 3056	2912	cmd.exe	110
PID 2912 wrote to memory of 3056	2912	cmd.exe	110
PID 2912 wrote to memory of 3056	2912	cmd.exe	110
PID 2912 wrote to memory of 3408	2912	cmd.exe	111
PID 2912 wrote to memory of 3408	2912	cmd.exe	111
PID 2912 wrote to memory of 3408	2912	cmd.exe	111
PID 2912 wrote to memory of 4716	2912	cmd.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5.exe
"C:\Users\Admin\AppData\Local\Temp\b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900213.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900213.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6699009.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6699009.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3257181.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3257181.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2353106.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2353106.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8806620.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8806620.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1992
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4916137.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4916137.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4916137.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4916137.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2376
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3908
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        7⤵
        
        PID:4900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2656
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:3120
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:860
        
        C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
        
        "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k2.exe.log

Filesize
1KB

MD5
fc1be6f3f52d5c841af91f8fc3f790cb

SHA1
ac79b4229e0a0ce378ae22fc6104748c5f234511

SHA256
6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

SHA512
2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
7be233efb68ce0811f8dfacd2799e8a2

SHA1
00767ac20c0ed7d161517aab1a1c6ed4040edc47

SHA256
17513e0485f523a427047190a9ead3c7c7b62998484a6d2c64ff78e1b1028e7c

SHA512
9a4aef9eefa2bd0ff9224aa95601232781fd61a01ad457df46dd5e5fefb2e162852826f73e2e781e96b536f2218dc78508c8c03f6be0c120be1e6e1d84e382e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
7be233efb68ce0811f8dfacd2799e8a2

SHA1
00767ac20c0ed7d161517aab1a1c6ed4040edc47

SHA256
17513e0485f523a427047190a9ead3c7c7b62998484a6d2c64ff78e1b1028e7c

SHA512
9a4aef9eefa2bd0ff9224aa95601232781fd61a01ad457df46dd5e5fefb2e162852826f73e2e781e96b536f2218dc78508c8c03f6be0c120be1e6e1d84e382e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
7be233efb68ce0811f8dfacd2799e8a2

SHA1
00767ac20c0ed7d161517aab1a1c6ed4040edc47

SHA256
17513e0485f523a427047190a9ead3c7c7b62998484a6d2c64ff78e1b1028e7c

SHA512
9a4aef9eefa2bd0ff9224aa95601232781fd61a01ad457df46dd5e5fefb2e162852826f73e2e781e96b536f2218dc78508c8c03f6be0c120be1e6e1d84e382e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
7be233efb68ce0811f8dfacd2799e8a2

SHA1
00767ac20c0ed7d161517aab1a1c6ed4040edc47

SHA256
17513e0485f523a427047190a9ead3c7c7b62998484a6d2c64ff78e1b1028e7c

SHA512
9a4aef9eefa2bd0ff9224aa95601232781fd61a01ad457df46dd5e5fefb2e162852826f73e2e781e96b536f2218dc78508c8c03f6be0c120be1e6e1d84e382e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4916137.exe

Filesize
962KB

MD5
7be233efb68ce0811f8dfacd2799e8a2

SHA1
00767ac20c0ed7d161517aab1a1c6ed4040edc47

SHA256
17513e0485f523a427047190a9ead3c7c7b62998484a6d2c64ff78e1b1028e7c

SHA512
9a4aef9eefa2bd0ff9224aa95601232781fd61a01ad457df46dd5e5fefb2e162852826f73e2e781e96b536f2218dc78508c8c03f6be0c120be1e6e1d84e382e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4916137.exe

Filesize
962KB

MD5
7be233efb68ce0811f8dfacd2799e8a2

SHA1
00767ac20c0ed7d161517aab1a1c6ed4040edc47

SHA256
17513e0485f523a427047190a9ead3c7c7b62998484a6d2c64ff78e1b1028e7c

SHA512
9a4aef9eefa2bd0ff9224aa95601232781fd61a01ad457df46dd5e5fefb2e162852826f73e2e781e96b536f2218dc78508c8c03f6be0c120be1e6e1d84e382e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4916137.exe

Filesize
962KB

MD5
7be233efb68ce0811f8dfacd2799e8a2

SHA1
00767ac20c0ed7d161517aab1a1c6ed4040edc47

SHA256
17513e0485f523a427047190a9ead3c7c7b62998484a6d2c64ff78e1b1028e7c

SHA512
9a4aef9eefa2bd0ff9224aa95601232781fd61a01ad457df46dd5e5fefb2e162852826f73e2e781e96b536f2218dc78508c8c03f6be0c120be1e6e1d84e382e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900213.exe

Filesize
601KB

MD5
eb365845b02031f6afd875e1d93060f1

SHA1
28d2a74911f3e9b25cbde47a7c32c2c34fda9617

SHA256
f32b223ab661347fee5a496c58983e86354df0608fd1f0e7ef6ae8f54b9f517d

SHA512
cb5a186b3e00e52d123ac05cca2cc368e4cb79ff6c59a1f073504d41480dab7f57488200432c4e947a5ea7395a5211ea111a898c184213d806d2a0c6addb61d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900213.exe

Filesize
601KB

MD5
eb365845b02031f6afd875e1d93060f1

SHA1
28d2a74911f3e9b25cbde47a7c32c2c34fda9617

SHA256
f32b223ab661347fee5a496c58983e86354df0608fd1f0e7ef6ae8f54b9f517d

SHA512
cb5a186b3e00e52d123ac05cca2cc368e4cb79ff6c59a1f073504d41480dab7f57488200432c4e947a5ea7395a5211ea111a898c184213d806d2a0c6addb61d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8806620.exe

Filesize
328KB

MD5
2396d8cae2394fb27dce12df0a614556

SHA1
f072cd2044745c6856139d0041dd9b66609036cf

SHA256
a07a78f63c60aba6972208116635331a0d5cda94d467a084b4398666894de8fa

SHA512
becbea291e248809d36621d8c639c1118a3b4fb8f11e30881792562e972bc9be474820a3cbd90047985eb9a51415545cee117a8cbe3d268f57c74786d0b8c1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8806620.exe

Filesize
328KB

MD5
2396d8cae2394fb27dce12df0a614556

SHA1
f072cd2044745c6856139d0041dd9b66609036cf

SHA256
a07a78f63c60aba6972208116635331a0d5cda94d467a084b4398666894de8fa

SHA512
becbea291e248809d36621d8c639c1118a3b4fb8f11e30881792562e972bc9be474820a3cbd90047985eb9a51415545cee117a8cbe3d268f57c74786d0b8c1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6699009.exe

Filesize
280KB

MD5
c38ec8fc2161e662fbd9fb1f68332e3f

SHA1
6e02d600cc084ba8060eb22541a452745e9d3489

SHA256
7daa78f26617b8508d91d90538a7b4b957e98148811f36538b6f3db49a4e0230

SHA512
c5dd4b5ee4789e178cce04c66950805be31ac9b9b3e1d59cc60701c0701a3a5c6f9715f9da09e7be60c86e244ca3544608e216ead4b923c35b313465d78016b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6699009.exe

Filesize
280KB

MD5
c38ec8fc2161e662fbd9fb1f68332e3f

SHA1
6e02d600cc084ba8060eb22541a452745e9d3489

SHA256
7daa78f26617b8508d91d90538a7b4b957e98148811f36538b6f3db49a4e0230

SHA512
c5dd4b5ee4789e178cce04c66950805be31ac9b9b3e1d59cc60701c0701a3a5c6f9715f9da09e7be60c86e244ca3544608e216ead4b923c35b313465d78016b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3257181.exe

Filesize
194KB

MD5
0e0a999aef2af83dd154e46f6718fc93

SHA1
43690504b178b4e4fd0075297e2573f4f1d5f614

SHA256
a73f7903824fc116fdfaccf796e64a3d164badff748e9962013d230e4bdcd26c

SHA512
448d58f8c8d9b404a63d39505962bae4b4fa96315bfbeb74b702540e951f2cbed611e21952d4d3685b88a12aa8c57fa2af865c0b64669544184aff2aabea213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3257181.exe

Filesize
194KB

MD5
0e0a999aef2af83dd154e46f6718fc93

SHA1
43690504b178b4e4fd0075297e2573f4f1d5f614

SHA256
a73f7903824fc116fdfaccf796e64a3d164badff748e9962013d230e4bdcd26c

SHA512
448d58f8c8d9b404a63d39505962bae4b4fa96315bfbeb74b702540e951f2cbed611e21952d4d3685b88a12aa8c57fa2af865c0b64669544184aff2aabea213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2353106.exe

Filesize
145KB

MD5
87b6f01ee063f492eb1534516f75b543

SHA1
69d6b135bc96c3b33b282847eb090f692fd79bb9

SHA256
c26b76516a16a5e0c5f9246e986770976ed75c35214c3101f3d067b63b7d663f

SHA512
b8bf9da7820c200f9aebd367eb50c9d8ab0e2d8539fc77d20a8a5fd96bc853c19755b52811a53aa6dad211cc9e43b8784a754f3c2c8d52d3eec7cf01133445f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2353106.exe

Filesize
145KB

MD5
87b6f01ee063f492eb1534516f75b543

SHA1
69d6b135bc96c3b33b282847eb090f692fd79bb9

SHA256
c26b76516a16a5e0c5f9246e986770976ed75c35214c3101f3d067b63b7d663f

SHA512
b8bf9da7820c200f9aebd367eb50c9d8ab0e2d8539fc77d20a8a5fd96bc853c19755b52811a53aa6dad211cc9e43b8784a754f3c2c8d52d3eec7cf01133445f3

Download Submit
memory/1028-247-0x0000023355AA0000-0x0000023355B3A000-memory.dmp

Filesize
616KB

Download
memory/1028-248-0x0000023370210000-0x0000023370220000-memory.dmp

Filesize
64KB

Download
memory/1168-168-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/1168-175-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/1168-177-0x0000000006CC0000-0x0000000006D10000-memory.dmp

Filesize
320KB

Download
memory/1168-170-0x00000000065C0000-0x0000000006B64000-memory.dmp

Filesize
5.6MB

Download
memory/1168-171-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/1168-167-0x00000000054C0000-0x00000000054FC000-memory.dmp

Filesize
240KB

Download
memory/1168-163-0x0000000000BC0000-0x0000000000BEA000-memory.dmp

Filesize
168KB

Download
memory/1168-176-0x0000000006F10000-0x0000000006F86000-memory.dmp

Filesize
472KB

Download
memory/1168-166-0x0000000005450000-0x0000000005462000-memory.dmp

Filesize
72KB

Download
memory/1168-164-0x00000000059F0000-0x0000000006008000-memory.dmp

Filesize
6.1MB

Download
memory/1168-165-0x0000000005520000-0x000000000562A000-memory.dmp

Filesize
1.0MB

Download
memory/1168-169-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/1168-174-0x0000000007440000-0x000000000796C000-memory.dmp

Filesize
5.2MB

Download
memory/1168-173-0x0000000006D40000-0x0000000006F02000-memory.dmp

Filesize
1.8MB

Download
memory/1992-183-0x0000000000560000-0x000000000058A000-memory.dmp

Filesize
168KB

Download
memory/1992-194-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2312-256-0x000001BC531A0000-0x000001BC531B0000-memory.dmp

Filesize
64KB

Download
memory/2376-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2376-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2376-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2376-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2376-235-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2376-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3128-155-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4088-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4088-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4088-201-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4088-199-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4088-195-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4392-193-0x0000000007EA0000-0x0000000007EB0000-memory.dmp

Filesize
64KB

Download
memory/4392-192-0x0000000000F80000-0x0000000001078000-memory.dmp

Filesize
992KB

Download
memory/4608-216-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download