gurcu | 3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2023, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe
Size

1.0MB
MD5

b0ac4be3ad35a4d63a610235b9c1c745
SHA1

3e4f020d5f3daf08cb1a4486b2dd801363f0e560
SHA256

3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775
SHA512

48caa71d39c3b4380074ee2f115a7e22261d59d1d7c9410f149c1afecc73905b4c23527502b339ec6d66b59c16a5cc0402ab0af90120add7af1f30a78b9d6cbb
SSDEEP

24576:Byij5IkNz2AIY+CSeWDPAvO7CeNKPVFl+XLP5V:0QIn70SLIOvIVyj

Score

10^/10

gurcu redline sectoprat crypto fash lina collection discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lina

83.97.73.122:19062

Attributes

auth_value
13523aee5d194d7716b22eeab7de10ad

Extracted

Family

redline

Botnet

fash

83.97.73.122:19062

Attributes

auth_value
dd7165bcd22b0ed3df426d944e12f136

Extracted

Family

gurcu

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Extracted

Family

redline

Botnet

crypto

163.123.142.235:61068

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000600000002317a-284.dat	family_redline
behavioral1/files/0x000600000002317a-308.dat	family_redline
behavioral1/files/0x000600000002317a-309.dat	family_redline
behavioral1/memory/2948-310-0x0000000000890000-0x00000000008AE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000600000002317a-284.dat	family_sectoprat
behavioral1/files/0x000600000002317a-308.dat	family_sectoprat
behavioral1/files/0x000600000002317a-309.dat	family_sectoprat
behavioral1/memory/2948-310-0x0000000000890000-0x00000000008AE000-memory.dmp	family_sectoprat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	k2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	k2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	k2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	k2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	s6163697.exe

Executes dropped EXE 26 IoCs

pid	Process
3328	z5776389.exe
2024	z9364147.exe
1208	o3148962.exe
2108	p7528115.exe
2760	r2818764.exe
828	s6163697.exe
4532	s6163697.exe
1112	s6163697.exe
4224	s6163697.exe
3388	legends.exe
4456	legends.exe
2104	legends.exe
2756	k2.exe
4228	k2.exe
1900	legends.exe
4212	tor.exe
1696	k2.exe
2948	build9.exe
4280	tor.exe
3080	legends.exe
4752	legends.exe
4140	legends.exe
3724	k2.exe
5056	legends.exe
2464	tor.exe
4376	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
1940	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5776389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5776389.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9364147.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9364147.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	ip-api.com

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 1384	1208	o3148962.exe	88
PID 2760 set thread context of 4792	2760	r2818764.exe	92
PID 828 set thread context of 4224	828	s6163697.exe	96
PID 3388 set thread context of 2104	3388	legends.exe	100
PID 1900 set thread context of 4140	1900	legends.exe	132
PID 5056 set thread context of 4376	5056	legends.exe	136

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4748	1696	WerFault.exe	124
2100	3724	WerFault.exe	134

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2836	schtasks.exe
2112	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3512	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1384	AppLaunch.exe
1384	AppLaunch.exe
2108	p7528115.exe
2108	p7528115.exe
4792	AppLaunch.exe
4792	AppLaunch.exe
4228	k2.exe
4228	k2.exe
1696	k2.exe
2948	build9.exe
2948	build9.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	AppLaunch.exe
Token: SeDebugPrivilege	2108	p7528115.exe
Token: SeDebugPrivilege	828	s6163697.exe
Token: SeDebugPrivilege	4792	AppLaunch.exe
Token: SeDebugPrivilege	3388	legends.exe
Token: SeDebugPrivilege	2756	k2.exe
Token: SeDebugPrivilege	4228	k2.exe
Token: SeDebugPrivilege	1900	legends.exe
Token: SeDebugPrivilege	1696	k2.exe
Token: SeDebugPrivilege	2948	build9.exe
Token: SeDebugPrivilege	3724	k2.exe
Token: SeDebugPrivilege	5056	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4224	s6163697.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3328	4956	3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe	84
PID 4956 wrote to memory of 3328	4956	3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe	84
PID 4956 wrote to memory of 3328	4956	3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe	84
PID 3328 wrote to memory of 2024	3328	z5776389.exe	85
PID 3328 wrote to memory of 2024	3328	z5776389.exe	85
PID 3328 wrote to memory of 2024	3328	z5776389.exe	85
PID 2024 wrote to memory of 1208	2024	z9364147.exe	86
PID 2024 wrote to memory of 1208	2024	z9364147.exe	86
PID 2024 wrote to memory of 1208	2024	z9364147.exe	86
PID 1208 wrote to memory of 1384	1208	o3148962.exe	88
PID 1208 wrote to memory of 1384	1208	o3148962.exe	88
PID 1208 wrote to memory of 1384	1208	o3148962.exe	88
PID 1208 wrote to memory of 1384	1208	o3148962.exe	88
PID 1208 wrote to memory of 1384	1208	o3148962.exe	88
PID 2024 wrote to memory of 2108	2024	z9364147.exe	89
PID 2024 wrote to memory of 2108	2024	z9364147.exe	89
PID 2024 wrote to memory of 2108	2024	z9364147.exe	89
PID 3328 wrote to memory of 2760	3328	z5776389.exe	90
PID 3328 wrote to memory of 2760	3328	z5776389.exe	90
PID 3328 wrote to memory of 2760	3328	z5776389.exe	90
PID 2760 wrote to memory of 4792	2760	r2818764.exe	92
PID 2760 wrote to memory of 4792	2760	r2818764.exe	92
PID 2760 wrote to memory of 4792	2760	r2818764.exe	92
PID 2760 wrote to memory of 4792	2760	r2818764.exe	92
PID 2760 wrote to memory of 4792	2760	r2818764.exe	92
PID 4956 wrote to memory of 828	4956	3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe	93
PID 4956 wrote to memory of 828	4956	3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe	93
PID 4956 wrote to memory of 828	4956	3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe	93
PID 828 wrote to memory of 4532	828	s6163697.exe	94
PID 828 wrote to memory of 4532	828	s6163697.exe	94
PID 828 wrote to memory of 4532	828	s6163697.exe	94
PID 828 wrote to memory of 4532	828	s6163697.exe	94
PID 828 wrote to memory of 1112	828	s6163697.exe	95
PID 828 wrote to memory of 1112	828	s6163697.exe	95
PID 828 wrote to memory of 1112	828	s6163697.exe	95
PID 828 wrote to memory of 1112	828	s6163697.exe	95
PID 828 wrote to memory of 4224	828	s6163697.exe	96
PID 828 wrote to memory of 4224	828	s6163697.exe	96
PID 828 wrote to memory of 4224	828	s6163697.exe	96
PID 828 wrote to memory of 4224	828	s6163697.exe	96
PID 828 wrote to memory of 4224	828	s6163697.exe	96
PID 828 wrote to memory of 4224	828	s6163697.exe	96
PID 828 wrote to memory of 4224	828	s6163697.exe	96
PID 828 wrote to memory of 4224	828	s6163697.exe	96
PID 828 wrote to memory of 4224	828	s6163697.exe	96
PID 828 wrote to memory of 4224	828	s6163697.exe	96
PID 4224 wrote to memory of 3388	4224	s6163697.exe	97
PID 4224 wrote to memory of 3388	4224	s6163697.exe	97
PID 4224 wrote to memory of 3388	4224	s6163697.exe	97
PID 3388 wrote to memory of 4456	3388	legends.exe	98
PID 3388 wrote to memory of 4456	3388	legends.exe	98
PID 3388 wrote to memory of 4456	3388	legends.exe	98
PID 3388 wrote to memory of 4456	3388	legends.exe	98
PID 3388 wrote to memory of 2104	3388	legends.exe	100
PID 3388 wrote to memory of 2104	3388	legends.exe	100
PID 3388 wrote to memory of 2104	3388	legends.exe	100
PID 3388 wrote to memory of 2104	3388	legends.exe	100
PID 3388 wrote to memory of 2104	3388	legends.exe	100
PID 3388 wrote to memory of 2104	3388	legends.exe	100
PID 3388 wrote to memory of 2104	3388	legends.exe	100
PID 3388 wrote to memory of 2104	3388	legends.exe	100
PID 3388 wrote to memory of 2104	3388	legends.exe	100
PID 3388 wrote to memory of 2104	3388	legends.exe	100
PID 2104 wrote to memory of 2836	2104	legends.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

C:\Users\Admin\AppData\Local\Temp\3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe
"C:\Users\Admin\AppData\Local\Temp\3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5776389.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5776389.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9364147.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9364147.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3148962.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3148962.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7528115.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7528115.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2818764.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2818764.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe
    3⤵
    - Executes dropped EXE
    PID:4532
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe
    3⤵
    - Executes dropped EXE
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        
        PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2836
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:3216
      - C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        7⤵
        
        PID:4952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3752
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:3512
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
        
        "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
        
        C:\Windows\System32\tar.exe
        
        "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp2D4A.tmp" -C "C:\Users\Admin\AppData\Local\x22nso3f7r"
        9⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
        
        "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
        9⤵
        Executes dropped EXE
        
        PID:4212
      - C:\Users\Admin\AppData\Local\Temp\1000036001\build9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000036001\build9.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:1940

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1900
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4140

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1696
- C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
  "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1696 -s 2640
  2⤵
  - Program crash
  PID:4748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 1696 -ip 1696
1⤵
PID:4792

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3724
- C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
  "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3724 -s 2128
  2⤵
  - Program crash
  PID:2100

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5056
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 3724 -ip 3724
1⤵
PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k2.exe.log

Filesize
1KB

MD5
fc1be6f3f52d5c841af91f8fc3f790cb

SHA1
ac79b4229e0a0ce378ae22fc6104748c5f234511

SHA256
6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

SHA512
2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\build9.exe

Filesize
95KB

MD5
2c5a75b7d24847bc5d206adb5c630a18

SHA1
89ca4d98947ab1248c022d66a23279f04cca6bbf

SHA256
dd09828ffbfdd784f83cac83641b8a0c3ca04b76becabb0ab5d170ad1bc169a7

SHA512
2ff1ad476ea1c72f6e1cda33f601e2eae06ca87bf4554cd085e17512a88ad515e95d42706e8e0a2c2b1fe17c9e0f1c511ef1554333d17a7e6e111b1531acc789

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\build9.exe

Filesize
95KB

MD5
2c5a75b7d24847bc5d206adb5c630a18

SHA1
89ca4d98947ab1248c022d66a23279f04cca6bbf

SHA256
dd09828ffbfdd784f83cac83641b8a0c3ca04b76becabb0ab5d170ad1bc169a7

SHA512
2ff1ad476ea1c72f6e1cda33f601e2eae06ca87bf4554cd085e17512a88ad515e95d42706e8e0a2c2b1fe17c9e0f1c511ef1554333d17a7e6e111b1531acc789

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\build9.exe

Filesize
95KB

MD5
2c5a75b7d24847bc5d206adb5c630a18

SHA1
89ca4d98947ab1248c022d66a23279f04cca6bbf

SHA256
dd09828ffbfdd784f83cac83641b8a0c3ca04b76becabb0ab5d170ad1bc169a7

SHA512
2ff1ad476ea1c72f6e1cda33f601e2eae06ca87bf4554cd085e17512a88ad515e95d42706e8e0a2c2b1fe17c9e0f1c511ef1554333d17a7e6e111b1531acc789

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6163697.exe

Filesize
962KB

MD5
24c38257727a5eb11ae0ea82c18cb201

SHA1
58032385aed22fb3c77c125edad5129be603227d

SHA256
437d86770a936a131c7830fceb7f76d9ef646a1c474a23c04d52f719ebac139c

SHA512
3ad2c877339f6af5e1a3e714c37a0ceb6e58fa0646b04f521bde4de795d5ad052fb3ad78376c9333adb891d7273f10226a2427f38012581bd443ec7604db50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5776389.exe

Filesize
595KB

MD5
b39a7d5a099f438afc2830bf4416cf40

SHA1
733bba0658f5b4f3034605d457db6406bf9e6bf6

SHA256
97a19a21910ff0964a224f4ef5fc7904fd2a20f51b95a4e3a27a350222df0e76

SHA512
4d02dc8140ed62dbbe49e08da8ebc3537754041038c585ac104ae7cd523857afac19337a137964b843a6a756111598899d04151abaff070cc757a41bf9229d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5776389.exe

Filesize
595KB

MD5
b39a7d5a099f438afc2830bf4416cf40

SHA1
733bba0658f5b4f3034605d457db6406bf9e6bf6

SHA256
97a19a21910ff0964a224f4ef5fc7904fd2a20f51b95a4e3a27a350222df0e76

SHA512
4d02dc8140ed62dbbe49e08da8ebc3537754041038c585ac104ae7cd523857afac19337a137964b843a6a756111598899d04151abaff070cc757a41bf9229d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2818764.exe

Filesize
322KB

MD5
96a2d756bf4f12ff4fd9abd2db5c7ba3

SHA1
e9b86e19d66a1b5734f8cea603deb2beef91565e

SHA256
b1cde43894fce57a1b097b5ef464dbc23a1c4b788b3497636db8b49b557eedde

SHA512
d08930b19728777d1c02b4e0495d4f35311942384afabd5b65921711f3753efebc80e4c227db795caca02ab272f7c3a7740cde5da3f3fa30a4bd7410fb3604a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2818764.exe

Filesize
322KB

MD5
96a2d756bf4f12ff4fd9abd2db5c7ba3

SHA1
e9b86e19d66a1b5734f8cea603deb2beef91565e

SHA256
b1cde43894fce57a1b097b5ef464dbc23a1c4b788b3497636db8b49b557eedde

SHA512
d08930b19728777d1c02b4e0495d4f35311942384afabd5b65921711f3753efebc80e4c227db795caca02ab272f7c3a7740cde5da3f3fa30a4bd7410fb3604a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9364147.exe

Filesize
277KB

MD5
bdbdba8d6d49b7dca2be25202eb8387f

SHA1
1975f06c4566409b34ce4a7c94436b9eb183bffa

SHA256
da8ff0626f43568fadcf725631f605501a2014d777e1eb9c911223e47a6159fb

SHA512
4cdbeabb927b3627c02ff409f96346d6144974cf3f0981f60e8358bfa15af1652af9fdcbc25c36e7eccd32d905668666b93cb1fc533d51443c2747f9343045ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9364147.exe

Filesize
277KB

MD5
bdbdba8d6d49b7dca2be25202eb8387f

SHA1
1975f06c4566409b34ce4a7c94436b9eb183bffa

SHA256
da8ff0626f43568fadcf725631f605501a2014d777e1eb9c911223e47a6159fb

SHA512
4cdbeabb927b3627c02ff409f96346d6144974cf3f0981f60e8358bfa15af1652af9fdcbc25c36e7eccd32d905668666b93cb1fc533d51443c2747f9343045ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3148962.exe

Filesize
188KB

MD5
ca4dfde89dfd0244ff9d81f0e1e6a604

SHA1
e63554b3fa6ab20a19e0fd73420c71ae53e9520e

SHA256
587ecd4b9dbd2a4895cc60a4e17ab96aa4b99e592a2850200f0476dd3af7a495

SHA512
25cc86b3a73a11d2209b5722107158d5d7ee2f54c104f93dac9b1950697ec4531b219a3e7cac3a7b94ec50de1a761ba5b5de40df3cf6ea6f13edc8a03e7c7c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3148962.exe

Filesize
188KB

MD5
ca4dfde89dfd0244ff9d81f0e1e6a604

SHA1
e63554b3fa6ab20a19e0fd73420c71ae53e9520e

SHA256
587ecd4b9dbd2a4895cc60a4e17ab96aa4b99e592a2850200f0476dd3af7a495

SHA512
25cc86b3a73a11d2209b5722107158d5d7ee2f54c104f93dac9b1950697ec4531b219a3e7cac3a7b94ec50de1a761ba5b5de40df3cf6ea6f13edc8a03e7c7c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7528115.exe

Filesize
145KB

MD5
422203545a71069ba25839de4d78f348

SHA1
4c3cac6c417e5a0d34115f1d42e8198951aa84f9

SHA256
34453f482a666dc8cf8fb38ac52db3d849de6aa24a39f6888e46648ea19b0df7

SHA512
32169a3d776ab216fc7f288a0dca851b5ae89942d1831e0f5c3b6219ed4f2182be985948a3ba7ea80daf888c208de9a62b1cdbb77534d46797e00d9d6a593029

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7528115.exe

Filesize
145KB

MD5
422203545a71069ba25839de4d78f348

SHA1
4c3cac6c417e5a0d34115f1d42e8198951aa84f9

SHA256
34453f482a666dc8cf8fb38ac52db3d849de6aa24a39f6888e46648ea19b0df7

SHA512
32169a3d776ab216fc7f288a0dca851b5ae89942d1831e0f5c3b6219ed4f2182be985948a3ba7ea80daf888c208de9a62b1cdbb77534d46797e00d9d6a593029

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D4A.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D08.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D2E.tmp

Filesize
92KB

MD5
c9f27e93d4d2fb6dc5d4d1d2f7d529db

SHA1
cc44dd47cabe4d2ebba14361f8b5254064d365d3

SHA256
d724f78d92cc963b4a06a12a310c0f5411b1ce42361dcfc498a5759efe9fdd7c

SHA512
f7cc478278a5725e18ac8c7ff715fd88798b4562412d354925711c25353277ff2044d3c4a314d76f987006941b35cdde43deb9df4397b37689f67cb8fe541472

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D5E.tmp

Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D7A.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-certs

Filesize
18KB

MD5
7ab1a7e6567f936642970c57c5de3a29

SHA1
64223b7a8fa36e5b3d5d26ec77f3e4ad68aa148e

SHA256
39139551ddee136eedca68f74338356209f46071bb7f9a5e92c9df9c12e92179

SHA512
69c3ea9b61947db6e651bfb1e2ca49430e203bc71a265c759b83ddda1e2cfc608f568355f793c64ef2b6eba092e6073fd312b64fc22d82409c530786473c37cc

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdescs.new

Filesize
2.2MB

MD5
a9483e4431f10d6769dc1e70544259dd

SHA1
88fd41a45e2b99807ed1e2e944d2e97172b6962f

SHA256
563bdb82bb59951f86d93835ca431e500267e68e0c6b2f5df4778c5b3df7c29b

SHA512
daa4e270ef47c81bc2feced186a7af58d6706af8f8991dc6135ca1fabb0deba737fe893a11899936726115c14eb5f93b1984b12b1cbb9cfc9b024580adeebe90

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\data\unverified-microdesc-consensus

Filesize
2.2MB

MD5
f59489a2bb0e63cfb11019b94fb0494a

SHA1
143ec727ce6c54100daef1b5eebca16b767da6ea

SHA256
8560e56c2b8b8ae6446aef258e21fe06f34bb6a1178ff440db5b836153d49ac4

SHA512
3d3423ba149c3b463db6ba582084c5d516ce179e94363479b02292c4b9ab10eb37f28d6bd674c3602df26832a4d9ed2042a3f3c4132c97c47701b7b164d7a017

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\host\hostname

Filesize
64B

MD5
1657159ea15ca6fdffdd4d21656e29a0

SHA1
be3b0c261dc1616f5912432b5cb74c6d890e56d9

SHA256
2e9279fb5134cd692f4e8a06fa81b4e5f62e10a08d46a2a2c0aefd8a2dbcf845

SHA512
d14457171c71d4ef66891a807337b6852fddd9ddaaf75467646e54fba9e89afce9ecf020c532cb01fb76f40f94efc9f4a46f7f16042efa0a0a12d1314a90e300

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\port.dat

Filesize
4B

MD5
f410588e48dc83f2822a880a68f78923

SHA1
bcc3fe1f6a2e6fe2a723905628738169ff3eca81

SHA256
d58cabc8303548b6ec23f1faccb3fc316208524a650f78423579899e8f9e8e67

SHA512
a30d6610175b54722885f4747975a3fd9e250c7fbb0a442f7e8cbee6239fda7aff0eeb1d0690b38b16018b998f4043975ec331796e63bfe4e704696d6de04b8b

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt

Filesize
218B

MD5
e4d2f4ce37fbc279f17133a106916cf0

SHA1
8db5a052ce1f5d869fa81363ad517081b3519ab3

SHA256
3d1208ccdf1b2fd4b1293702a135eb4d6dfc978b688c02f6323ce8556a9dba35

SHA512
f769415f5c7c71281f2c8c4567f6eb0ec51b96a1b9ac980134aa415f7cf1ffeb37d97aa941f1ebde7f27f727fc24eeafa464f7f1b28de96f66d1f09d3d15b7ff

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/828-192-0x0000000000860000-0x0000000000958000-memory.dmp

Filesize
992KB

Download
memory/1384-155-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/1900-279-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/2104-225-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-222-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-307-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-541-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-237-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-246-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-259-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2108-175-0x0000000006EA0000-0x0000000006F16000-memory.dmp

Filesize
472KB

Download
memory/2108-172-0x0000000006CD0000-0x0000000006E92000-memory.dmp

Filesize
1.8MB

Download
memory/2108-165-0x0000000005500000-0x000000000560A000-memory.dmp

Filesize
1.0MB

Download
memory/2108-176-0x0000000006C70000-0x0000000006CC0000-memory.dmp

Filesize
320KB

Download
memory/2108-177-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/2108-169-0x0000000006550000-0x0000000006AF4000-memory.dmp

Filesize
5.6MB

Download
memory/2108-166-0x0000000005430000-0x0000000005442000-memory.dmp

Filesize
72KB

Download
memory/2108-168-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/2108-173-0x00000000073D0000-0x00000000078FC000-memory.dmp

Filesize
5.2MB

Download
memory/2108-167-0x0000000005490000-0x00000000054CC000-memory.dmp

Filesize
240KB

Download
memory/2108-164-0x0000000005980000-0x0000000005F98000-memory.dmp

Filesize
6.1MB

Download
memory/2108-171-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/2108-163-0x0000000000BA0000-0x0000000000BCA000-memory.dmp

Filesize
168KB

Download
memory/2108-170-0x0000000005FA0000-0x0000000006032000-memory.dmp

Filesize
584KB

Download
memory/2756-250-0x000001D2F84A0000-0x000001D2F84B0000-memory.dmp

Filesize
64KB

Download
memory/2756-249-0x000001D2DDC70000-0x000001D2DDD0A000-memory.dmp

Filesize
616KB

Download
memory/2948-314-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/2948-310-0x0000000000890000-0x00000000008AE000-memory.dmp

Filesize
120KB

Download
memory/2948-359-0x0000000006C90000-0x0000000006CAE000-memory.dmp

Filesize
120KB

Download
memory/2948-514-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/3388-217-0x0000000007090000-0x00000000070A0000-memory.dmp

Filesize
64KB

Download
memory/3724-550-0x000001925FAD0000-0x000001925FAE0000-memory.dmp

Filesize
64KB

Download
memory/4140-356-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4140-357-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4140-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4224-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4224-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4224-196-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4224-199-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4224-200-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4228-258-0x000001886BB50000-0x000001886BB60000-memory.dmp

Filesize
64KB

Download
memory/4228-313-0x000001886BB50000-0x000001886BB60000-memory.dmp

Filesize
64KB

Download
memory/4376-555-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4376-556-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4376-557-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4792-193-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/4792-183-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5056-551-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download