gurcu | c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

Resubmissions

10-04-2024 02:41

240410-c6hmmsfd7z 10

10-04-2024 02:41

10-04-2024 02:41

10-04-2024 02:41

14-10-2023 01:33

Analysis

max time kernel
1788s
max time network
1737s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x19a4f9f3d16fcc9779ba8ea79bf7.exe
Size

392KB
MD5

2299a17350433284e58bd0fcc10edf41
SHA1

d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256

c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512

123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1
SSDEEP

6144:5cJGLvLE5hu6Me646G0D1ecme1x9b31v4n:uUvLr6k9b5ecmed1v4

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6193093056:AAHzyNGUGS9aUG6CCx6ENLoXpCFLzEQywIQ/sendMessage?chat_id=1098292643

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Executes dropped EXE 31 IoCs

pid	Process
2388	x19a4f9f3d16fcc9779ba8ea79bf7.exe
3192	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5056	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2116	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2848	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2648	x19a4f9f3d16fcc9779ba8ea79bf7.exe
5056	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2160	x19a4f9f3d16fcc9779ba8ea79bf7.exe
1920	x19a4f9f3d16fcc9779ba8ea79bf7.exe
416	x19a4f9f3d16fcc9779ba8ea79bf7.exe
1484	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4132	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4440	x19a4f9f3d16fcc9779ba8ea79bf7.exe
1272	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4628	x19a4f9f3d16fcc9779ba8ea79bf7.exe
3648	x19a4f9f3d16fcc9779ba8ea79bf7.exe
3688	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2136	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2480	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4368	x19a4f9f3d16fcc9779ba8ea79bf7.exe
1444	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2992	x19a4f9f3d16fcc9779ba8ea79bf7.exe
3200	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4364	x19a4f9f3d16fcc9779ba8ea79bf7.exe
1592	x19a4f9f3d16fcc9779ba8ea79bf7.exe
3104	x19a4f9f3d16fcc9779ba8ea79bf7.exe
1360	x19a4f9f3d16fcc9779ba8ea79bf7.exe
944	x19a4f9f3d16fcc9779ba8ea79bf7.exe
3420	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4760	x19a4f9f3d16fcc9779ba8ea79bf7.exe
1580	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4800	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3648	PING.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	416	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2388	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	3192	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	5056	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2116	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2848	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2648	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	5056	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2160	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	1920	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	416	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	1484	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	4132	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	4440	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	1272	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	4628	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	3648	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	3688	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2136	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2480	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	4368	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	1444	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2992	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	3200	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	4364	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	1592	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	3104	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	1360	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	944	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	3420	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	4760	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	1580	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 4172	416	x19a4f9f3d16fcc9779ba8ea79bf7.exe	74
PID 416 wrote to memory of 4172	416	x19a4f9f3d16fcc9779ba8ea79bf7.exe	74
PID 4172 wrote to memory of 196	4172	cmd.exe	76
PID 4172 wrote to memory of 196	4172	cmd.exe	76
PID 4172 wrote to memory of 3648	4172	cmd.exe	77
PID 4172 wrote to memory of 3648	4172	cmd.exe	77
PID 4172 wrote to memory of 4800	4172	cmd.exe	78
PID 4172 wrote to memory of 4800	4172	cmd.exe	78
PID 4172 wrote to memory of 2388	4172	cmd.exe	79
PID 4172 wrote to memory of 2388	4172	cmd.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe
"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:196
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3648
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4800
- - C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
    "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2388

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

Filesize
847B

MD5
a908a7c6e93edeb3e400780b6fe62dde

SHA1
36e2b437f41443f6b41b45b35a0f97b2cd94123d

SHA256
cae801b0499949178298c1c1a083f7c0febb971d262be9c9588437af66c76ef0

SHA512
deb437dcb1440d37bcd61dfa43be05fd01856a1d1e59aa5b2dfa142e9ae584b0577eea024edb99d8e74e3a1b606bb7ae3b4f9cd8eb30813e67dda678b9319cbe

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

Filesize
392KB

MD5
2299a17350433284e58bd0fcc10edf41

SHA1
d477f1cd55365db00ca77cc5459afabe1ffc80b3

SHA256
c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

SHA512
123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

Download Submit
memory/416-50-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/416-49-0x000001EB48E70000-0x000001EB48E80000-memory.dmp

Filesize
64KB

Download
memory/416-2-0x0000022F630A0000-0x0000022F630B0000-memory.dmp

Filesize
64KB

Download
memory/416-1-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/416-48-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/416-6-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/416-0-0x0000022F61480000-0x0000022F614E8000-memory.dmp

Filesize
416KB

Download
memory/1272-65-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/1272-64-0x0000018124390000-0x00000181243A0000-memory.dmp

Filesize
64KB

Download
memory/1272-63-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/1444-89-0x0000027176660000-0x0000027176670000-memory.dmp

Filesize
64KB

Download
memory/1444-88-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/1444-90-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/1484-53-0x0000016E70A10000-0x0000016E70A20000-memory.dmp

Filesize
64KB

Download
memory/1484-52-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/1484-54-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/1920-44-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/1920-46-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/1920-45-0x00000221DDF10000-0x00000221DDF20000-memory.dmp

Filesize
64KB

Download
memory/2116-27-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2116-26-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-79-0x000002237A220000-0x000002237A230000-memory.dmp

Filesize
64KB

Download
memory/2136-78-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-80-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-40-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-42-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-41-0x000001F8DC8A0000-0x000001F8DC8B0000-memory.dmp

Filesize
64KB

Download
memory/2388-11-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-15-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-16-0x000001D6BD610000-0x000001D6BD620000-memory.dmp

Filesize
64KB

Download
memory/2388-12-0x000001D6BD610000-0x000001D6BD620000-memory.dmp

Filesize
64KB

Download
memory/2480-82-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2480-83-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-35-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-33-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-34-0x000001C5C6580000-0x000001C5C6590000-memory.dmp

Filesize
64KB

Download
memory/2848-29-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-30-0x000002047F8D0000-0x000002047F8E0000-memory.dmp

Filesize
64KB

Download
memory/2848-31-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-92-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-93-0x00000183145F0000-0x0000018314600000-memory.dmp

Filesize
64KB

Download
memory/3192-20-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/3192-19-0x0000025078FA0000-0x0000025078FB0000-memory.dmp

Filesize
64KB

Download
memory/3192-18-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/3648-71-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/3648-72-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/3688-74-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/3688-75-0x000001ABF2F10000-0x000001ABF2F20000-memory.dmp

Filesize
64KB

Download
memory/3688-76-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/4132-56-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/4132-58-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/4132-57-0x0000021E3BE90000-0x0000021E3BEA0000-memory.dmp

Filesize
64KB

Download
memory/4368-86-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/4368-85-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/4440-61-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/4440-60-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/4628-69-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/4628-68-0x000001D01F520000-0x000001D01F530000-memory.dmp

Filesize
64KB

Download
memory/4628-67-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/5056-38-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/5056-22-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/5056-23-0x0000023FC7A90000-0x0000023FC7AA0000-memory.dmp

Filesize
64KB

Download
memory/5056-24-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download
memory/5056-37-0x00007FFF68820000-0x00007FFF6920C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads