gurcu | d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f

Resubmissions

10-04-2024 02:38

240410-c4pceacb24 10

10-04-2024 02:37

10-04-2024 02:37

10-04-2024 02:37

14-10-2023 01:31

Analysis

max time kernel
1797s
max time network
1803s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Size

339KB
MD5

1cab66a5c15f97f040fb23d354d04a9c
SHA1

f0dbebd22b2c7bfedbefa4435b345c58416f9448
SHA256

d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f
SHA512

a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab
SSDEEP

3072:gdrpN/JlLKd5hkad0lk0vGJGMlngDBXrkhamyeFykt9sxc8eTRLUvenjLM/zNlgl:0UGPUvva+lxXY6uXAJMI9bAV0D

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6193093056:AAHzyNGUGS9aUG6CCx6ENLoXpCFLzEQywIQ/sendMessage?chat_id=1098292643

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 32 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Executes dropped EXE 62 IoCs

pid	Process
4476	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1428	tor.exe
4360	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
2444	tor.exe
724	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
4112	tor.exe
3372	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
2688	tor.exe
2968	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
400	tor.exe
3336	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
2760	tor.exe
824	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
3788	tor.exe
4632	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1860	tor.exe
1624	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
3028	tor.exe
2432	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
824	tor.exe
4712	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
3512	tor.exe
4200	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
4000	tor.exe
4576	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1856	tor.exe
1484	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
2184	tor.exe
1172	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1600	tor.exe
4436	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
992	tor.exe
2184	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
4012	tor.exe
756	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
3200	tor.exe
2044	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1124	tor.exe
3552	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
2760	tor.exe
1548	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
2032	tor.exe
2772	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
4200	tor.exe
1404	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
2100	tor.exe
1548	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
3876	tor.exe
1608	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
4064	tor.exe
3016	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
868	tor.exe
2476	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
436	tor.exe
1828	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
2892	tor.exe
3496	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
5072	tor.exe
3656	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1984	tor.exe
3800	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
896	tor.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
99	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4228	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4664	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4476	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
4476	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3752	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	4476	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	4360	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	724	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	3372	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	2968	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	3336	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	824	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	4632	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	1624	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	2432	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	4712	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	4200	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	4576	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	1484	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	1172	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	4436	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	2184	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	756	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	2044	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	3552	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	1548	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	2772	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	1404	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	1548	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	1608	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	3016	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	2476	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	1828	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	3496	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	3656	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeManageVolumePrivilege	3612	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 2704	3752	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	93
PID 3752 wrote to memory of 2704	3752	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	93
PID 2704 wrote to memory of 3116	2704	cmd.exe	95
PID 2704 wrote to memory of 3116	2704	cmd.exe	95
PID 2704 wrote to memory of 4664	2704	cmd.exe	96
PID 2704 wrote to memory of 4664	2704	cmd.exe	96
PID 2704 wrote to memory of 4228	2704	cmd.exe	99
PID 2704 wrote to memory of 4228	2704	cmd.exe	99
PID 2704 wrote to memory of 4476	2704	cmd.exe	100
PID 2704 wrote to memory of 4476	2704	cmd.exe	100
PID 4476 wrote to memory of 2872	4476	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	103
PID 4476 wrote to memory of 2872	4476	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	103
PID 4476 wrote to memory of 1428	4476	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	106
PID 4476 wrote to memory of 1428	4476	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	106
PID 4360 wrote to memory of 2444	4360	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	115
PID 4360 wrote to memory of 2444	4360	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	115
PID 724 wrote to memory of 4112	724	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	121
PID 724 wrote to memory of 4112	724	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	121
PID 3372 wrote to memory of 2688	3372	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	126
PID 3372 wrote to memory of 2688	3372	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	126
PID 2968 wrote to memory of 400	2968	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	131
PID 2968 wrote to memory of 400	2968	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	131
PID 3336 wrote to memory of 2760	3336	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	136
PID 3336 wrote to memory of 2760	3336	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	136
PID 824 wrote to memory of 3788	824	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	141
PID 824 wrote to memory of 3788	824	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	141
PID 4632 wrote to memory of 1860	4632	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	146
PID 4632 wrote to memory of 1860	4632	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	146
PID 1624 wrote to memory of 3028	1624	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	152
PID 1624 wrote to memory of 3028	1624	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	152
PID 2432 wrote to memory of 824	2432	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	157
PID 2432 wrote to memory of 824	2432	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	157
PID 4712 wrote to memory of 3512	4712	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	162
PID 4712 wrote to memory of 3512	4712	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	162
PID 4200 wrote to memory of 4000	4200	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	167
PID 4200 wrote to memory of 4000	4200	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	167
PID 4576 wrote to memory of 1856	4576	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	172
PID 4576 wrote to memory of 1856	4576	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	172
PID 1484 wrote to memory of 2184	1484	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	178
PID 1484 wrote to memory of 2184	1484	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	178
PID 1172 wrote to memory of 1600	1172	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	183
PID 1172 wrote to memory of 1600	1172	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	183
PID 4436 wrote to memory of 992	4436	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	188
PID 4436 wrote to memory of 992	4436	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	188
PID 2184 wrote to memory of 4012	2184	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	193
PID 2184 wrote to memory of 4012	2184	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	193
PID 756 wrote to memory of 3200	756	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	198
PID 756 wrote to memory of 3200	756	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	198
PID 2044 wrote to memory of 1124	2044	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	203
PID 2044 wrote to memory of 1124	2044	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	203
PID 3552 wrote to memory of 2760	3552	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	208
PID 3552 wrote to memory of 2760	3552	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	208
PID 1548 wrote to memory of 2032	1548	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	213
PID 1548 wrote to memory of 2032	1548	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	213
PID 2772 wrote to memory of 4200	2772	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	218
PID 2772 wrote to memory of 4200	2772	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	218
PID 1404 wrote to memory of 2100	1404	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	230
PID 1404 wrote to memory of 2100	1404	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	230
PID 1548 wrote to memory of 3876	1548	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	237
PID 1548 wrote to memory of 3876	1548	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	237
PID 1608 wrote to memory of 4064	1608	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	242
PID 1608 wrote to memory of 4064	1608	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	242
PID 3016 wrote to memory of 868	3016	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	249
PID 3016 wrote to memory of 868	3016	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	249

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
"C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3116
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4664
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4228
- - C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
    "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:4476
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpC7E.tmp" -C "C:\Users\Admin\AppData\Local\lcybndk48g"
      4⤵
      PID:2872
  - - C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
      "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:4052

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2444

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4112

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2688

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:400

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2760

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3788

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3376 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:4596

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3028

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:824

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3512

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4000

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1856

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2184

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1600

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:992

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4012

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3200

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1124

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2760

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2032

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4200

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2100

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3876

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4064

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:868

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:436

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1828
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2892

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3496
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5072

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1984

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3800
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe.log

Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Filesize
339KB

MD5
1cab66a5c15f97f040fb23d354d04a9c

SHA1
f0dbebd22b2c7bfedbefa4435b345c58416f9448

SHA256
d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f

SHA512
a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7E.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\data\cached-certs

Filesize
18KB

MD5
9674e7e18394b84607a53408659955b9

SHA1
575a9b1566d6db21eb525f010a17018710d9f9af

SHA256
a9f4b0a3ce3e73d23bbccac99870af042a2e892d440b7d4dd2521507af5a777a

SHA512
f68b93f692e8006b3f6953d695ac3d53280cbf08850c5571684d024b76dfd8c26474b65d427f0f3dfe424d1fbe428b835b77e09ce9bf905acd9f5650117a5709

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\data\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
a0db8a87f7b723266c8b04255da46b06

SHA1
4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf

SHA256
60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3

SHA512
41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\data\cached-microdescs.new

Filesize
9.3MB

MD5
4590bb4b150922d8581068f486347681

SHA1
cf4a28d4628c5167f4c132195c9b7e05c234634c

SHA256
ec17baa0ca7a4768ff62f19c0bd93d124543cd69880fa55113fbb4080ec9688f

SHA512
dd41a660d2aedce0636f876fb7f911bdc5593bc7b321e4a4fb5588210b0c1c91f7282c7d29011952dbfa29719205df12c4d8528361936daae8971653c4105fc4

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\host\hostname

Filesize
64B

MD5
f84bb5553ead48b682200d3ae4405b22

SHA1
ddc47b0f6d74b40b832c221b60c08cc398675c0d

SHA256
b99116975c3c4f41f28eeb0aae8f674b59d22e2bd79061073b77b8c16c2c63e3

SHA512
393f6851247ec6a5e34778ac03ee42388802bb65c24b68105dee7ee20f4ae53cb2421206bf0255f138cb519237bf7f423c117d98891c6a820006153742b3c65f

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\port.dat

Filesize
4B

MD5
a5bad363fc47f424ddf5091c8471480a

SHA1
5ac58e3894934d24e622b9433e621268e6070b17

SHA256
43eb64f59e486941b18ab12531dd6a4c6d5cc41f9f246effea3f923e619fd7e4

SHA512
7054af65c7d8c5ccadff67c348550354e2a3c571fa5907730afb506a8a2400de9e08e25ab6a7fa55272decd48915f9ea599c304eac07677553357d437eb79283

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe

Filesize
1.7MB

MD5
bf525e085714bdcd44980218557983bf

SHA1
6a67b50e7167fd284f8952744db3c59a68c29ee9

SHA256
914b2120717ba047f099bc8105aa2a094731f0d5c0285d10bc867cdc3945ae3e

SHA512
4a209eb5fc2902c6b5efd3fe925062f52aabd07c016c5d7b9f331e269bd86df2d7db03683cd613fa37e2b37b1bb9281fcdb2e179e0c64526f9ed96dbb661e4e2

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt

Filesize
218B

MD5
8dc1ad3b0a250b18fa1145868f0e3432

SHA1
95381a54e5ec56dd31a5392edaca5f5a4401f8c1

SHA256
69d3fb8910bd88eb7dbb31d1031469d4f84a9fac5b5d86060dcc90b109f77a4c

SHA512
0c08b904a48538c0d9e42d63e9edc1afb5185be8253497104cb906ea0fcccde636574a08735d87e6c76146fee02bd65e4d823d85626e00688a043843075540bb

Download Submit
memory/724-95-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/724-92-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/756-251-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/756-249-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/824-137-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/824-131-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1172-214-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1172-212-0x0000028573A50000-0x0000028573A60000-memory.dmp

Filesize
64KB

Download
memory/1172-211-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1404-312-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1404-310-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1484-199-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1484-201-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1548-286-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1548-288-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1548-320-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1548-318-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1608-332-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1608-330-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1624-147-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/1624-149-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/2044-261-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/2044-262-0x000001FA34530000-0x000001FA34540000-memory.dmp

Filesize
64KB

Download
memory/2044-264-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/2184-239-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/2184-237-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/2432-159-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/2432-161-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/2476-350-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/2772-298-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/2772-300-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/2968-110-0x000001D929D70000-0x000001D929D80000-memory.dmp

Filesize
64KB

Download
memory/2968-112-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/2968-109-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/3016-346-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/3016-348-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/3336-125-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/3336-122-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/3336-123-0x00000156DBAD0000-0x00000156DBAE0000-memory.dmp

Filesize
64KB

Download
memory/3372-103-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/3372-101-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/3552-274-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/3552-276-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/3612-418-0x0000028F30F30000-0x0000028F30F31000-memory.dmp

Filesize
4KB

Download
memory/3612-417-0x0000028F30E20000-0x0000028F30E21000-memory.dmp

Filesize
4KB

Download
memory/3612-416-0x0000028F30E20000-0x0000028F30E21000-memory.dmp

Filesize
4KB

Download
memory/3612-414-0x0000028F30DF0000-0x0000028F30DF1000-memory.dmp

Filesize
4KB

Download
memory/3612-398-0x0000028F28A80000-0x0000028F28A90000-memory.dmp

Filesize
64KB

Download
memory/3612-382-0x0000028F28980000-0x0000028F28990000-memory.dmp

Filesize
64KB

Download
memory/3752-1-0x00007FFC8C830000-0x00007FFC8D2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3752-0-0x000001F2A88E0000-0x000001F2A893C000-memory.dmp

Filesize
368KB

Download
memory/3752-2-0x000001F2C2EB0000-0x000001F2C2EC0000-memory.dmp

Filesize
64KB

Download
memory/3752-6-0x00007FFC8C830000-0x00007FFC8D2F1000-memory.dmp

Filesize
10.8MB

Download
memory/4200-181-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4200-179-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4360-86-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4360-82-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4360-83-0x000001F3FAED0000-0x000001F3FAEE0000-memory.dmp

Filesize
64KB

Download
memory/4436-225-0x000002453E8D0000-0x000002453E8E0000-memory.dmp

Filesize
64KB

Download
memory/4436-227-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4436-224-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4476-59-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4476-12-0x0000022A7BC70000-0x0000022A7BC80000-memory.dmp

Filesize
64KB

Download
memory/4476-11-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4576-191-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4576-193-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4632-141-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4632-139-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4712-173-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download
memory/4712-171-0x00007FFC8AD40000-0x00007FFC8B801000-memory.dmp

Filesize
10.8MB

Download