gurcu | 44eca198c64197c511441f644895afd6a2777c28bcb6a376d4d4623b030ced31

Resubmissions

10-04-2024 02:49

240410-da1n1sfe7v 10

10-04-2024 02:49

10-04-2024 02:48

10-04-2024 02:48

14-10-2023 03:45

Analysis

max time kernel
1608s
max time network
1805s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B9a5797cb584014f3fede.exe
Size

530KB
MD5

862e7aeb18ba5892f51b5712a213a614
SHA1

99d86e4247f52c3ea9b2bb476af66dfc7707fa8d
SHA256

44eca198c64197c511441f644895afd6a2777c28bcb6a376d4d4623b030ced31
SHA512

678fc8fb5dc887f41db90e6341229ce35c830ffac4cbb91ea669ab5e8bc849bae05c15909ae62e4dfd3a249bb2ff062eaa0e256989fe203863db0396c60ec713
SSDEEP

6144:XHClm6SWPoK5Z0EwVSmRPQd/t/a2zDGVPJXvnzZjDJHb571Kjn1929XDccHd8JyO:XHCnZxb88RatpvnzZjDv7oj19yTNTY

Score

10^/10

gurcu collection discovery spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6176004110:AAFKA5be4dMwA848HWxzYIzrzzOGIHMOJGc/sendMessage?chat_id=615133582

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 29 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	B9a5797cb584014f3fede.exe

Executes dropped EXE 56 IoCs

pid	Process
2248	B9a5797cb584014f3fede.exe
3392	tor.exe
2988	B9a5797cb584014f3fede.exe
2252	tor.exe
1844	B9a5797cb584014f3fede.exe
3620	tor.exe
2020	B9a5797cb584014f3fede.exe
2256	tor.exe
4368	B9a5797cb584014f3fede.exe
656	tor.exe
4916	B9a5797cb584014f3fede.exe
4796	tor.exe
2760	B9a5797cb584014f3fede.exe
4540	tor.exe
3076	B9a5797cb584014f3fede.exe
1236	tor.exe
2880	B9a5797cb584014f3fede.exe
5104	tor.exe
3300	B9a5797cb584014f3fede.exe
4944	tor.exe
2868	B9a5797cb584014f3fede.exe
4840	tor.exe
3608	B9a5797cb584014f3fede.exe
1716	tor.exe
1292	B9a5797cb584014f3fede.exe
4532	tor.exe
2252	B9a5797cb584014f3fede.exe
2824	tor.exe
3612	B9a5797cb584014f3fede.exe
3704	tor.exe
3308	B9a5797cb584014f3fede.exe
2368	tor.exe
4560	B9a5797cb584014f3fede.exe
2664	tor.exe
3888	B9a5797cb584014f3fede.exe
5064	tor.exe
1452	B9a5797cb584014f3fede.exe
1028	tor.exe
2788	B9a5797cb584014f3fede.exe
1268	tor.exe
1628	B9a5797cb584014f3fede.exe
4544	tor.exe
2312	B9a5797cb584014f3fede.exe
1556	tor.exe
4940	B9a5797cb584014f3fede.exe
4880	tor.exe
4032	B9a5797cb584014f3fede.exe
2852	tor.exe
4568	B9a5797cb584014f3fede.exe
4532	tor.exe
3020	B9a5797cb584014f3fede.exe
4088	tor.exe
4684	B9a5797cb584014f3fede.exe
2960	tor.exe
2060	B9a5797cb584014f3fede.exe
3248	tor.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 24 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4420	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4528	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2248	B9a5797cb584014f3fede.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	2248	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	2988	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	1844	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	2020	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	4368	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	4916	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	2760	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	3076	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	2880	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	3300	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	2868	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	3608	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	1292	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	2252	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	3612	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	3308	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	4560	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	3888	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	1452	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	2788	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	1628	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	2312	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	4940	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	4032	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	4568	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	3020	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	4684	B9a5797cb584014f3fede.exe
Token: SeDebugPrivilege	2060	B9a5797cb584014f3fede.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2428	2024	B9a5797cb584014f3fede.exe	85
PID 2024 wrote to memory of 2428	2024	B9a5797cb584014f3fede.exe	85
PID 2428 wrote to memory of 1928	2428	cmd.exe	87
PID 2428 wrote to memory of 1928	2428	cmd.exe	87
PID 2428 wrote to memory of 4528	2428	cmd.exe	89
PID 2428 wrote to memory of 4528	2428	cmd.exe	89
PID 2428 wrote to memory of 4420	2428	cmd.exe	92
PID 2428 wrote to memory of 4420	2428	cmd.exe	92
PID 2428 wrote to memory of 2248	2428	cmd.exe	93
PID 2428 wrote to memory of 2248	2428	cmd.exe	93
PID 2248 wrote to memory of 3208	2248	B9a5797cb584014f3fede.exe	98
PID 2248 wrote to memory of 3208	2248	B9a5797cb584014f3fede.exe	98
PID 2248 wrote to memory of 3392	2248	B9a5797cb584014f3fede.exe	100
PID 2248 wrote to memory of 3392	2248	B9a5797cb584014f3fede.exe	100
PID 2988 wrote to memory of 2252	2988	B9a5797cb584014f3fede.exe	107
PID 2988 wrote to memory of 2252	2988	B9a5797cb584014f3fede.exe	107
PID 1844 wrote to memory of 3620	1844	B9a5797cb584014f3fede.exe	113
PID 1844 wrote to memory of 3620	1844	B9a5797cb584014f3fede.exe	113
PID 2020 wrote to memory of 2256	2020	B9a5797cb584014f3fede.exe	118
PID 2020 wrote to memory of 2256	2020	B9a5797cb584014f3fede.exe	118
PID 4368 wrote to memory of 656	4368	B9a5797cb584014f3fede.exe	123
PID 4368 wrote to memory of 656	4368	B9a5797cb584014f3fede.exe	123
PID 4916 wrote to memory of 4796	4916	B9a5797cb584014f3fede.exe	128
PID 4916 wrote to memory of 4796	4916	B9a5797cb584014f3fede.exe	128
PID 2760 wrote to memory of 4540	2760	B9a5797cb584014f3fede.exe	133
PID 2760 wrote to memory of 4540	2760	B9a5797cb584014f3fede.exe	133
PID 3076 wrote to memory of 1236	3076	B9a5797cb584014f3fede.exe	138
PID 3076 wrote to memory of 1236	3076	B9a5797cb584014f3fede.exe	138
PID 2880 wrote to memory of 5104	2880	B9a5797cb584014f3fede.exe	143
PID 2880 wrote to memory of 5104	2880	B9a5797cb584014f3fede.exe	143
PID 3300 wrote to memory of 4944	3300	B9a5797cb584014f3fede.exe	148
PID 3300 wrote to memory of 4944	3300	B9a5797cb584014f3fede.exe	148
PID 2868 wrote to memory of 4840	2868	B9a5797cb584014f3fede.exe	153
PID 2868 wrote to memory of 4840	2868	B9a5797cb584014f3fede.exe	153
PID 3608 wrote to memory of 1716	3608	B9a5797cb584014f3fede.exe	158
PID 3608 wrote to memory of 1716	3608	B9a5797cb584014f3fede.exe	158
PID 1292 wrote to memory of 4532	1292	B9a5797cb584014f3fede.exe	163
PID 1292 wrote to memory of 4532	1292	B9a5797cb584014f3fede.exe	163
PID 2252 wrote to memory of 2824	2252	B9a5797cb584014f3fede.exe	168
PID 2252 wrote to memory of 2824	2252	B9a5797cb584014f3fede.exe	168
PID 3612 wrote to memory of 3704	3612	B9a5797cb584014f3fede.exe	173
PID 3612 wrote to memory of 3704	3612	B9a5797cb584014f3fede.exe	173
PID 3308 wrote to memory of 2368	3308	B9a5797cb584014f3fede.exe	178
PID 3308 wrote to memory of 2368	3308	B9a5797cb584014f3fede.exe	178
PID 4560 wrote to memory of 2664	4560	B9a5797cb584014f3fede.exe	183
PID 4560 wrote to memory of 2664	4560	B9a5797cb584014f3fede.exe	183
PID 3888 wrote to memory of 5064	3888	B9a5797cb584014f3fede.exe	188
PID 3888 wrote to memory of 5064	3888	B9a5797cb584014f3fede.exe	188
PID 1452 wrote to memory of 1028	1452	B9a5797cb584014f3fede.exe	193
PID 1452 wrote to memory of 1028	1452	B9a5797cb584014f3fede.exe	193
PID 2788 wrote to memory of 1268	2788	B9a5797cb584014f3fede.exe	198
PID 2788 wrote to memory of 1268	2788	B9a5797cb584014f3fede.exe	198
PID 1628 wrote to memory of 4544	1628	B9a5797cb584014f3fede.exe	203
PID 1628 wrote to memory of 4544	1628	B9a5797cb584014f3fede.exe	203
PID 2312 wrote to memory of 1556	2312	B9a5797cb584014f3fede.exe	208
PID 2312 wrote to memory of 1556	2312	B9a5797cb584014f3fede.exe	208
PID 4940 wrote to memory of 4880	4940	B9a5797cb584014f3fede.exe	213
PID 4940 wrote to memory of 4880	4940	B9a5797cb584014f3fede.exe	213
PID 4032 wrote to memory of 2852	4032	B9a5797cb584014f3fede.exe	218
PID 4032 wrote to memory of 2852	4032	B9a5797cb584014f3fede.exe	218
PID 4568 wrote to memory of 4532	4568	B9a5797cb584014f3fede.exe	223
PID 4568 wrote to memory of 4532	4568	B9a5797cb584014f3fede.exe	223
PID 3020 wrote to memory of 4088	3020	B9a5797cb584014f3fede.exe	228
PID 3020 wrote to memory of 4088	3020	B9a5797cb584014f3fede.exe	228

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	B9a5797cb584014f3fede.exe

C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe
"C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "B9a5797cb584014f3fede" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1928
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4528
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "B9a5797cb584014f3fede" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4420
- - C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
    "C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp82EB.tmp" -C "C:\Users\Admin\AppData\Local\gzrj1xdnai"
      4⤵
      PID:3208
  - - C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
      "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:3392

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2252

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3620

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2256

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:656

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4796

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4540

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1236

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5104

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4944

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4840

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1716

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4532

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2824

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3704

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2368

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2664

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5064

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1028

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1268

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4544

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1556

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4880

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4032
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2852

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4532

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4088

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4684
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2960

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060
- C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
  "C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\B9a5797cb584014f3fede.exe.log

Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

Filesize
530KB

MD5
862e7aeb18ba5892f51b5712a213a614

SHA1
99d86e4247f52c3ea9b2bb476af66dfc7707fa8d

SHA256
44eca198c64197c511441f644895afd6a2777c28bcb6a376d4d4623b030ced31

SHA512
678fc8fb5dc887f41db90e6341229ce35c830ffac4cbb91ea669ab5e8bc849bae05c15909ae62e4dfd3a249bb2ff062eaa0e256989fe203863db0396c60ec713

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp82EB.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\gzrj1xdnai\data\cached-certs

Filesize
18KB

MD5
6a7a20cc181b25208c34881bb9246b61

SHA1
0fe1704e3a44a118d4a385fe833ebc9b0aafe004

SHA256
263eb6bc93a2d868dc9da71a451433566fffdd617d943e4b76ce36604f5852f7

SHA512
8dad5d48508f6dab8f0bafa0042a5d8bfb2be95caa7b742c9da0e1f862b16b8c628315cbef3397465006bde535419d8e1b0704c441bc9a6ba639a8fde6bf0c89

Download Submit
C:\Users\Admin\AppData\Local\gzrj1xdnai\data\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
1ba4e8d76872a3f07d07d8888154a3be

SHA1
0a30705fc4a578152125e8c3231cb47c7e09bee8

SHA256
a8477e50b6368ef5550b6be360c65ce848e8574d0f4dcd7b8ab914129e8f16f0

SHA512
0cabe54662ac1fa35afb857468c5119e5209e1ddcdb8718a236bf9599a5de88f847d948d73c5c40d2aef25b29336c25d5a31df8086ead8c439e14ca5646a6a93

Download Submit
C:\Users\Admin\AppData\Local\gzrj1xdnai\data\cached-microdescs.new

Filesize
6.0MB

MD5
f2a5a5f2429f092245d1a5c3d3bc6ee7

SHA1
e8d8d6579f418b932760062306a6beb6bb563e6d

SHA256
9d58876b43d91ec3301698b82ecb9ed082cc3a6e812aa0123ea82fab5a21e2af

SHA512
9a6942ab1bbb33d6f264482153a88958183c6c997a85a6d5546cc5fd2d847491bfdfe4d2c2b5470c4d604aa8734e8a2ad7bb402776903530fc36add3081a25fc

Download Submit
C:\Users\Admin\AppData\Local\gzrj1xdnai\host\hostname

Filesize
64B

MD5
942d0faf8844016bb779b3235ccec0ef

SHA1
716ee4d9eb7dea1ea97aecdd752a691f61ccb4dc

SHA256
2c7d8c786b07db660fd97ef09808e46fd5dccebe1e03ca9b656f209bc005a413

SHA512
07239436cd7e5b08b9627438344bf28040ed99602abb9941b49f11538cf69df561223cf620508954cbefaf1cc5f88eee8c6348021be31dee942c2918bb1173d8

Download Submit
C:\Users\Admin\AppData\Local\gzrj1xdnai\port.dat

Filesize
4B

MD5
ae0e08163d22befd4635f47bef1b6e3f

SHA1
4aa80d7f5db8cfbbfa490f3791870533904d9cf1

SHA256
0bbf9f8f0ba1a1b72492028bd81c99e6d3410311e86001fc2d52dbee3bf85618

SHA512
36726e30a28f4f75649115120f1646f3f1676d957b2337d7556cd8c9eb4bfc7de9b3bae188f772da3a43778f375a9b736933fdc744745b65b8506773b96416c6

Download Submit
C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt

Filesize
218B

MD5
81f444c0f34779c5d777a343001588e5

SHA1
da0f0c97f9270c3f0a40b0b06fb35638c4c53e56

SHA256
8ff5b66eacb70bea5328c77c82ec5843290b383249a040c35a399dc72d487b1f

SHA512
acaa76d822feaa372f2bf75fddee2d79130b9c78d9bf90c5f4c845791eeebcbcdc7426d380ba2007047200a03be8b52379ab0f865e495713567d261da2cc072f

Download Submit
memory/1292-192-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/1292-195-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/1292-193-0x000001E0BAFA0000-0x000001E0BAFB0000-memory.dmp

Filesize
64KB

Download
memory/1452-264-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/1452-266-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/1628-284-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/1628-286-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-111-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-105-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2020-116-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2020-114-0x000001EF1B8B0000-0x000001EF1B8C0000-memory.dmp

Filesize
64KB

Download
memory/2020-113-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-1-0x00007FFE15670000-0x00007FFE16131000-memory.dmp

Filesize
10.8MB

Download
memory/2024-4-0x0000017212500000-0x0000017212510000-memory.dmp

Filesize
64KB

Download
memory/2024-0-0x0000017211F80000-0x000001721200A000-memory.dmp

Filesize
552KB

Download
memory/2024-6-0x00007FFE15670000-0x00007FFE16131000-memory.dmp

Filesize
10.8MB

Download
memory/2248-57-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2248-11-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2248-61-0x0000024914030000-0x0000024914040000-memory.dmp

Filesize
64KB

Download
memory/2248-12-0x0000024914030000-0x0000024914040000-memory.dmp

Filesize
64KB

Download
memory/2252-206-0x000001FE8F1F0000-0x000001FE8F200000-memory.dmp

Filesize
64KB

Download
memory/2252-208-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2252-205-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2312-296-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2312-298-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2760-139-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2760-141-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-278-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-276-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2868-175-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2868-176-0x000001145E370000-0x000001145E380000-memory.dmp

Filesize
64KB

Download
memory/2868-178-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2880-153-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2880-151-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2988-79-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/2988-80-0x0000022141140000-0x0000022141150000-memory.dmp

Filesize
64KB

Download
memory/2988-83-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3076-147-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3076-149-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3300-169-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3300-167-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3308-231-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3308-233-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-180-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-182-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3612-217-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3612-214-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3612-215-0x0000014A931E0000-0x0000014A931F0000-memory.dmp

Filesize
64KB

Download
memory/3888-252-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/3888-254-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/4032-315-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/4032-313-0x000001EB52760000-0x000001EB52770000-memory.dmp

Filesize
64KB

Download
memory/4032-312-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/4368-118-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/4368-120-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/4560-239-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/4560-240-0x0000014EFC170000-0x0000014EFC180000-memory.dmp

Filesize
64KB

Download
memory/4560-242-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/4568-321-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-130-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-131-0x0000015F3C820000-0x0000015F3C830000-memory.dmp

Filesize
64KB

Download
memory/4916-133-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-308-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-310-0x00007FFE14D10000-0x00007FFE157D1000-memory.dmp

Filesize
10.8MB

Download