gurcu | 4960838a390adf1ea412850ca14f15ce7c201fa967c0089df97742ee517ed0fe

Analysis

max time kernel
507s
max time network
506s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

796KB
MD5

e91f3ec430934cf29cda88d9b730d893
SHA1

6453d1f200f568b7964861c683a4f519431a9468
SHA256

4960838a390adf1ea412850ca14f15ce7c201fa967c0089df97742ee517ed0fe
SHA512

cc6afc8a20943ef7d18aaddde9f9257dbd7d0913aeb5ef66734cd593e580ecddde7a0706e4415c202655536b0665ce81116fd5ed487d3311caa10b33fbb7406b
SSDEEP

12288:wyveQB/fTHIGaPkKEYzURNAwbAg/KyEbx/j76eLaOfqPCm+3KP8ps1uZ:wuDXTIGaPhEYzUzA0kyE1jue+AvUG

Score

10^/10

gurcu xworm execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:1764

cash-hispanic.gl.at.ply.gg:1764

Attributes

Install_directory
%AppData%
install_file
explorer.exe
telegram
https://api.telegram.org/bot8013268995:AAHt5-BJsAIEM9hnoTy17y1WYC4NnCMU398/sendMessage?chat_id=5405936031

Extracted

Family

gurcu

https://api.telegram.org/bot8013268995:AAHt5-BJsAIEM9hnoTy17y1WYC4NnCMU398/sendMessage?chat_id=5405936031

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c80-6.dat	family_xworm
behavioral1/memory/3100-22-0x0000000000D90000-0x0000000000DAA000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2024	powershell.exe
2448	powershell.exe
2244	powershell.exe
5020	powershell.exe
3976	powershell.exe
3804	powershell.exe
2152	powershell.exe
2856	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	BootstrapperV21.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	BootstrapperV21.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	BootstrapperV21.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
3100	BootstrapperV21.exe
3008	Bootstrapper.exe
1956	BootstrapperV1.22.exe
1172	explorer.exe
3032	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	BootstrapperV21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
23	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5008	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3672	systeminfo.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
880	schtasks.exe
4268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3804	powershell.exe
3804	powershell.exe
2152	powershell.exe
2152	powershell.exe
2856	powershell.exe
2856	powershell.exe
2024	powershell.exe
2024	powershell.exe
3100	BootstrapperV21.exe
2448	powershell.exe
2448	powershell.exe
2244	powershell.exe
2244	powershell.exe
5020	powershell.exe
5020	powershell.exe
3976	powershell.exe
3976	powershell.exe
3032	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	BootstrapperV21.exe
Token: SeDebugPrivilege	3008	Bootstrapper.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	3100	BootstrapperV21.exe
Token: SeDebugPrivilege	1956	BootstrapperV1.22.exe
Token: SeDebugPrivilege	1172	explorer.exe
Token: SeDebugPrivilege	3032	explorer.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	3032	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3100	BootstrapperV21.exe
3032	explorer.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3100	1968	Solara.exe	83
PID 1968 wrote to memory of 3100	1968	Solara.exe	83
PID 1968 wrote to memory of 3008	1968	Solara.exe	85
PID 1968 wrote to memory of 3008	1968	Solara.exe	85
PID 3100 wrote to memory of 3804	3100	BootstrapperV21.exe	91
PID 3100 wrote to memory of 3804	3100	BootstrapperV21.exe	91
PID 3100 wrote to memory of 2152	3100	BootstrapperV21.exe	93
PID 3100 wrote to memory of 2152	3100	BootstrapperV21.exe	93
PID 3100 wrote to memory of 2856	3100	BootstrapperV21.exe	95
PID 3100 wrote to memory of 2856	3100	BootstrapperV21.exe	95
PID 3100 wrote to memory of 2024	3100	BootstrapperV21.exe	97
PID 3100 wrote to memory of 2024	3100	BootstrapperV21.exe	97
PID 3008 wrote to memory of 1956	3008	Bootstrapper.exe	99
PID 3008 wrote to memory of 1956	3008	Bootstrapper.exe	99
PID 1956 wrote to memory of 2068	1956	BootstrapperV1.22.exe	101
PID 1956 wrote to memory of 2068	1956	BootstrapperV1.22.exe	101
PID 2068 wrote to memory of 5008	2068	cmd.exe	104
PID 2068 wrote to memory of 5008	2068	cmd.exe	104
PID 3100 wrote to memory of 880	3100	BootstrapperV21.exe	106
PID 3100 wrote to memory of 880	3100	BootstrapperV21.exe	106
PID 3100 wrote to memory of 2928	3100	BootstrapperV21.exe	116
PID 3100 wrote to memory of 2928	3100	BootstrapperV21.exe	116
PID 2928 wrote to memory of 3672	2928	CMD.EXE	118
PID 2928 wrote to memory of 3672	2928	CMD.EXE	118
PID 3032 wrote to memory of 2448	3032	explorer.exe	124
PID 3032 wrote to memory of 2448	3032	explorer.exe	124
PID 3032 wrote to memory of 2244	3032	explorer.exe	126
PID 3032 wrote to memory of 2244	3032	explorer.exe	126
PID 3032 wrote to memory of 5020	3032	explorer.exe	128
PID 3032 wrote to memory of 5020	3032	explorer.exe	128
PID 3032 wrote to memory of 3976	3032	explorer.exe	130
PID 3032 wrote to memory of 3976	3032	explorer.exe	130
PID 3032 wrote to memory of 4268	3032	explorer.exe	132
PID 3032 wrote to memory of 4268	3032	explorer.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperV21.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:880
- - C:\Windows\SYSTEM32\CMD.EXE
    "CMD.EXE"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3672
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ipconfig /all
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:5008

C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d013b69d1a8bc44a599a20aa767332ed

SHA1
9949c222e8664c419294d6bd5ca13184b2b2e3c8

SHA256
9fcb62333faf9fae34f4e882c6af4065a233063fbdf9a550ac849d650573463c

SHA512
3554c4ea46dea441d9ea98e24c55f71e7d75490b38a5ab81a3d7d267e85ceaa6f6a38dc339f2eed6544c2bb744ae16b2de69f6a2c74e56782c8e6a1782d996d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4920f7bec7cdb8ac44637a6af9d2fc6f

SHA1
d4c5e3c9397926ec9bdaccdd955e89f5138b1816

SHA256
8cc607eab702c5690ee5d64f5d34add46b7093c23751506dad728853a434a277

SHA512
321e8178ebd08d680c6d1af467ab73e3055af8c8bb06ee81b1af46bd6718e5a060c339da5a281028c2557ab8d85172921e10363ccd8d411aa0e75f62119838d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1f8b23cd03fdfb5d4559ac10c445b89f

SHA1
cea378877687b1967095d5237e3c0111929f012d

SHA256
f1bb0869c1d26c4282aa06a4840a9ca86e9145c136af42bb85b6d2e77e684551

SHA512
3ffe559e174f4706d3e7681f0d88d53dfde5eef56ee5005ccf7b3036a5d6ba85e02fa4d0cb213d237afcb894d79fbe673b18f986f57db2904558f447e42fe550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
796KB

MD5
4b94b989b0fe7bec6311153b309dfe81

SHA1
bb50a4bb8a66f0105c5b74f32cd114c672010b22

SHA256
7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659

SHA512
fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe

Filesize
800KB

MD5
2a4dcf20b82896be94eb538260c5fb93

SHA1
21f232c2fd8132f8677e53258562ad98b455e679

SHA256
ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

SHA512
4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe

Filesize
77KB

MD5
b3a1a7ef45c3a920f515adc541ee75f4

SHA1
fa69e1c57709dfa076e792509e6c77d297e47664

SHA256
5cb0406be361324ecaeaa54238d82b24dffdfff8ae35dd2a59301e83e71d9d79

SHA512
8628cbac85e04d9f0ada20e6f46c74d3e22edda7095043e1f61bcfd7836b54f29f4dde6de6c72309fd8f7cf66a2d69d1fe7288914a213c35b1d40f7d98e4271c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DISCORD

Filesize
103B

MD5
487ab53955a5ea101720115f32237a45

SHA1
c59d22f8bc8005694505addef88f7968c8d393d3

SHA256
d64354a111fd859a08552f6738fecd8c5594475e8c03bb37546812a205d0d368

SHA512
468689d98645c9f32813d833a07bbcf96fe0de4593f4f4dc6757501fbce8e9951d21a8aa4a7050a87a904d203f521134328d426d4e6ab9f20e7e759769003b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svllydkz.jf2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

Filesize
778B

MD5
f52422154c6f23f86e47f6c02639e13a

SHA1
ea40834eb447a4d0a315f6966fe1b83038fefa80

SHA256
1562698dbedfb40423803999a408d9596a02d9231298b857822057ce0a72c8ef

SHA512
5158405a93c40b0403669d066025b824c1100c038f420bc4916bfc6c34e44dd3d453618c39dc23770438f161fd0cf1c65194bb841e1f053c9118e5bb973a2b6c

Download Submit
memory/1956-88-0x0000020008E50000-0x0000020008F1E000-memory.dmp

Filesize
824KB

Download
memory/3008-29-0x0000018F73650000-0x0000018F73672000-memory.dmp

Filesize
136KB

Download
memory/3008-86-0x00007FFB75EA0000-0x00007FFB76961000-memory.dmp

Filesize
10.8MB

Download
memory/3008-26-0x0000018F73120000-0x0000018F731EE000-memory.dmp

Filesize
824KB

Download
memory/3008-27-0x00007FFB75EA0000-0x00007FFB76961000-memory.dmp

Filesize
10.8MB

Download
memory/3100-96-0x00007FFB75EA3000-0x00007FFB75EA5000-memory.dmp

Filesize
8KB

Download
memory/3100-102-0x0000000002FD0000-0x0000000002FDA000-memory.dmp

Filesize
40KB

Download
memory/3100-108-0x00007FFB75EA0000-0x00007FFB76961000-memory.dmp

Filesize
10.8MB

Download
memory/3100-101-0x000000001C420000-0x000000001C42C000-memory.dmp

Filesize
48KB

Download
memory/3100-100-0x00007FFB75EA0000-0x00007FFB76961000-memory.dmp

Filesize
10.8MB

Download
memory/3100-22-0x0000000000D90000-0x0000000000DAA000-memory.dmp

Filesize
104KB

Download
memory/3100-16-0x00007FFB75EA3000-0x00007FFB75EA5000-memory.dmp

Filesize
8KB

Download
memory/3100-93-0x00007FFB75EA0000-0x00007FFB76961000-memory.dmp

Filesize
10.8MB

Download