gurcu | dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129

Resubmissions

10-04-2024 02:52

240410-dcqxlaff2v 10

10-04-2024 02:52

10-04-2024 02:51

10-04-2024 02:51

14-10-2023 04:10

Analysis

max time kernel
1198s
max time network
1201s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f21559ac7c67d871d4f05.exe
Size

327KB
MD5

78fd6df30f791c7b5f45dca0b4c952a5
SHA1

d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256

dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512

abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d
SSDEEP

6144:Vc6sWfGY/yODx332tOIXlU1QWZxXAnuHW9bbGDwVdqe1mM:Ps+CXIAuGG8dA

Score

10^/10

gurcu collection discovery spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot5968091729:AAHVag_ncx5c5AIYERGTqv9kr7clJT1_HDU/sendMessage?chat_id=-1001962300376

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 22 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	f21559ac7c67d871d4f05.exe

Executes dropped EXE 42 IoCs

pid	Process
1896	f21559ac7c67d871d4f05.exe
1796	tor.exe
3516	f21559ac7c67d871d4f05.exe
1516	tor.exe
1788	f21559ac7c67d871d4f05.exe
4296	tor.exe
3668	f21559ac7c67d871d4f05.exe
1916	tor.exe
4812	f21559ac7c67d871d4f05.exe
3888	tor.exe
4760	f21559ac7c67d871d4f05.exe
4408	tor.exe
516	f21559ac7c67d871d4f05.exe
3016	tor.exe
4160	f21559ac7c67d871d4f05.exe
2516	tor.exe
3740	f21559ac7c67d871d4f05.exe
1212	tor.exe
4172	f21559ac7c67d871d4f05.exe
2084	tor.exe
4740	f21559ac7c67d871d4f05.exe
956	tor.exe
4004	f21559ac7c67d871d4f05.exe
2928	tor.exe
748	f21559ac7c67d871d4f05.exe
4084	tor.exe
4796	f21559ac7c67d871d4f05.exe
180	tor.exe
3328	f21559ac7c67d871d4f05.exe
5092	tor.exe
1496	f21559ac7c67d871d4f05.exe
3936	tor.exe
3364	f21559ac7c67d871d4f05.exe
5116	tor.exe
4440	f21559ac7c67d871d4f05.exe
1788	tor.exe
4888	f21559ac7c67d871d4f05.exe
1664	tor.exe
2780	f21559ac7c67d871d4f05.exe
2664	tor.exe
696	f21559ac7c67d871d4f05.exe
3348	tor.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f21559ac7c67d871d4f05.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f21559ac7c67d871d4f05.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f21559ac7c67d871d4f05.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3928	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4480	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1896	f21559ac7c67d871d4f05.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	1896	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	3516	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	1788	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	3668	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	4812	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	4760	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	516	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	4160	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	3740	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	4172	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	4740	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	4004	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	748	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	4796	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	3328	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	1496	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	3364	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	4440	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	4888	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	2780	f21559ac7c67d871d4f05.exe
Token: SeDebugPrivilege	696	f21559ac7c67d871d4f05.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 2548	8	f21559ac7c67d871d4f05.exe	86
PID 8 wrote to memory of 2548	8	f21559ac7c67d871d4f05.exe	86
PID 2548 wrote to memory of 4264	2548	cmd.exe	88
PID 2548 wrote to memory of 4264	2548	cmd.exe	88
PID 2548 wrote to memory of 4480	2548	cmd.exe	90
PID 2548 wrote to memory of 4480	2548	cmd.exe	90
PID 2548 wrote to memory of 3928	2548	cmd.exe	96
PID 2548 wrote to memory of 3928	2548	cmd.exe	96
PID 2548 wrote to memory of 1896	2548	cmd.exe	97
PID 2548 wrote to memory of 1896	2548	cmd.exe	97
PID 1896 wrote to memory of 2492	1896	f21559ac7c67d871d4f05.exe	100
PID 1896 wrote to memory of 2492	1896	f21559ac7c67d871d4f05.exe	100
PID 1896 wrote to memory of 1796	1896	f21559ac7c67d871d4f05.exe	102
PID 1896 wrote to memory of 1796	1896	f21559ac7c67d871d4f05.exe	102
PID 3516 wrote to memory of 1516	3516	f21559ac7c67d871d4f05.exe	109
PID 3516 wrote to memory of 1516	3516	f21559ac7c67d871d4f05.exe	109
PID 1788 wrote to memory of 4296	1788	f21559ac7c67d871d4f05.exe	115
PID 1788 wrote to memory of 4296	1788	f21559ac7c67d871d4f05.exe	115
PID 3668 wrote to memory of 1916	3668	f21559ac7c67d871d4f05.exe	120
PID 3668 wrote to memory of 1916	3668	f21559ac7c67d871d4f05.exe	120
PID 4812 wrote to memory of 3888	4812	f21559ac7c67d871d4f05.exe	125
PID 4812 wrote to memory of 3888	4812	f21559ac7c67d871d4f05.exe	125
PID 4760 wrote to memory of 4408	4760	f21559ac7c67d871d4f05.exe	130
PID 4760 wrote to memory of 4408	4760	f21559ac7c67d871d4f05.exe	130
PID 516 wrote to memory of 3016	516	f21559ac7c67d871d4f05.exe	137
PID 516 wrote to memory of 3016	516	f21559ac7c67d871d4f05.exe	137
PID 4160 wrote to memory of 2516	4160	f21559ac7c67d871d4f05.exe	148
PID 4160 wrote to memory of 2516	4160	f21559ac7c67d871d4f05.exe	148
PID 3740 wrote to memory of 1212	3740	f21559ac7c67d871d4f05.exe	153
PID 3740 wrote to memory of 1212	3740	f21559ac7c67d871d4f05.exe	153
PID 4172 wrote to memory of 2084	4172	f21559ac7c67d871d4f05.exe	158
PID 4172 wrote to memory of 2084	4172	f21559ac7c67d871d4f05.exe	158
PID 4740 wrote to memory of 956	4740	f21559ac7c67d871d4f05.exe	163
PID 4740 wrote to memory of 956	4740	f21559ac7c67d871d4f05.exe	163
PID 4004 wrote to memory of 2928	4004	f21559ac7c67d871d4f05.exe	168
PID 4004 wrote to memory of 2928	4004	f21559ac7c67d871d4f05.exe	168
PID 748 wrote to memory of 4084	748	f21559ac7c67d871d4f05.exe	173
PID 748 wrote to memory of 4084	748	f21559ac7c67d871d4f05.exe	173
PID 4796 wrote to memory of 180	4796	f21559ac7c67d871d4f05.exe	178
PID 4796 wrote to memory of 180	4796	f21559ac7c67d871d4f05.exe	178
PID 3328 wrote to memory of 5092	3328	f21559ac7c67d871d4f05.exe	183
PID 3328 wrote to memory of 5092	3328	f21559ac7c67d871d4f05.exe	183
PID 1496 wrote to memory of 3936	1496	f21559ac7c67d871d4f05.exe	188
PID 1496 wrote to memory of 3936	1496	f21559ac7c67d871d4f05.exe	188
PID 3364 wrote to memory of 5116	3364	f21559ac7c67d871d4f05.exe	193
PID 3364 wrote to memory of 5116	3364	f21559ac7c67d871d4f05.exe	193
PID 4440 wrote to memory of 1788	4440	f21559ac7c67d871d4f05.exe	198
PID 4440 wrote to memory of 1788	4440	f21559ac7c67d871d4f05.exe	198
PID 4888 wrote to memory of 1664	4888	f21559ac7c67d871d4f05.exe	203
PID 4888 wrote to memory of 1664	4888	f21559ac7c67d871d4f05.exe	203
PID 2780 wrote to memory of 2664	2780	f21559ac7c67d871d4f05.exe	208
PID 2780 wrote to memory of 2664	2780	f21559ac7c67d871d4f05.exe	208
PID 696 wrote to memory of 3348	696	f21559ac7c67d871d4f05.exe	213
PID 696 wrote to memory of 3348	696	f21559ac7c67d871d4f05.exe	213

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f21559ac7c67d871d4f05.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f21559ac7c67d871d4f05.exe

C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe
"C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4264
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4480
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3928
- - C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
    "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:1896
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp" -C "C:\Users\Admin\AppData\Local\z1jp774dks"
      4⤵
      PID:2492
  - - C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
      "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:1796

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1516

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4296

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1916

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3888

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4408

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3016

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2516

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1212

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2084

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:956

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2928

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4084

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:180

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5092

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3936

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5116

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1788

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1664

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2664

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696
- C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe
  "C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f21559ac7c67d871d4f05.exe.log

Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

Filesize
327KB

MD5
78fd6df30f791c7b5f45dca0b4c952a5

SHA1
d977ca82da0850eb5d4e69c9c657d1a41fb9c44d

SHA256
dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129

SHA512
abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\z1jp774dks\data\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
a0db8a87f7b723266c8b04255da46b06

SHA1
4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf

SHA256
60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3

SHA512
41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

Download Submit
C:\Users\Admin\AppData\Local\z1jp774dks\data\cached-microdescs.new

Filesize
9.4MB

MD5
de298d57b5108f28fc90618da83a4143

SHA1
3e89215cb84008eb5dfc8d3110af0e31f9c6e5ed

SHA256
2714425e09e98b048c994f0cde144958213bbe1bbc9b96f67de0dc3a96504ad8

SHA512
cde42449d4d8d41b1b9b8df036e9f1bb1559a59a17d7d1d04a08a8d74bb1af8d87eee24cd51159bc286614d2a8298cd282fbf5d466754f4b20a29fed7f6335e2

Download Submit
C:\Users\Admin\AppData\Local\z1jp774dks\host\hostname

Filesize
64B

MD5
b618c5b78193a27718cba5a86c0b7c07

SHA1
c1ee057d36811b3147ed198bd3d5c658498c71b1

SHA256
60e9036922b2095ca079713d3779d3bc6ebe68f053be052d337170b37c404197

SHA512
8c7cc7a20a1dafc29177a0e22e91fbeb2828f8db9d149ce2f7e20c6fa4d95ed3c667c6b3a9fb281b9c5c3594a8f2e7f807e74cf62202bc71fe0d603ec0b569e0

Download Submit
C:\Users\Admin\AppData\Local\z1jp774dks\port.dat

Filesize
4B

MD5
227e072d131ba77451d8f27ab9afdfb7

SHA1
9bcd6c8c398327684bae8be3c6df07ef9db45b6d

SHA256
6e28f139664a7dbd24102a95b98113c8b7764d4634721af1dadbe24d9f58a943

SHA512
d4806b99592c451ffc6005941c3ee6f7ae7fec31931e9c50ceec55706713234dd0f1af7000a73169dc5ecf6b4f4aa63a21b692e45c77c1812ac56485e166dd48

Download Submit
C:\Users\Admin\AppData\Local\z1jp774dks\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\z1jp774dks\torrc.txt

Filesize
218B

MD5
4a354b06abdb90f82b6565698404e47e

SHA1
492f088a4cff942386116245eb8844f654d5aa22

SHA256
d46a1fa087af98ed4f70ce1b0869c75aaf873ceb53c948ae2756a08660dc9fce

SHA512
6372ca47eeb4b69c2d81cdff57691d3e0e9923e37fc39fa5fb33b532a2b42cdb49a4da3094e03d7410f9d4c353ea0a62ff1a35c08bd8b0dacadd80314fedf11d

Download Submit
memory/8-2-0x0000022E47C70000-0x0000022E47C80000-memory.dmp

Filesize
64KB

Download
memory/8-1-0x00007FFD60900000-0x00007FFD613C1000-memory.dmp

Filesize
10.8MB

Download
memory/8-0-0x0000022E2D640000-0x0000022E2D698000-memory.dmp

Filesize
352KB

Download
memory/8-6-0x00007FFD60900000-0x00007FFD613C1000-memory.dmp

Filesize
10.8MB

Download
memory/516-162-0x000001E2FF3E0000-0x000001E2FF4E2000-memory.dmp

Filesize
1.0MB

Download
memory/516-160-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/516-163-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/696-418-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/696-419-0x00000216FAF00000-0x00000216FAF10000-memory.dmp

Filesize
64KB

Download
memory/696-422-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/748-273-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/748-270-0x000001ACEAB00000-0x000001ACEAB10000-memory.dmp

Filesize
64KB

Download
memory/748-269-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/1496-321-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/1496-324-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/1788-106-0x000001D76DF40000-0x000001D76E042000-memory.dmp

Filesize
1.0MB

Download
memory/1788-104-0x000001D753C40000-0x000001D753C50000-memory.dmp

Filesize
64KB

Download
memory/1788-107-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/1788-103-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/1896-68-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/1896-74-0x000001B7B02A0000-0x000001B7B02B0000-memory.dmp

Filesize
64KB

Download
memory/1896-48-0x000001B7B0520000-0x000001B7B0622000-memory.dmp

Filesize
1.0MB

Download
memory/1896-12-0x000001B7B02A0000-0x000001B7B02B0000-memory.dmp

Filesize
64KB

Download
memory/1896-11-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/2780-402-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/2780-399-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-302-0x0000020D299B0000-0x0000020D299C0000-memory.dmp

Filesize
64KB

Download
memory/3328-305-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-301-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/3364-344-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/3364-348-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/3364-345-0x000002026A3C0000-0x000002026A3D0000-memory.dmp

Filesize
64KB

Download
memory/3516-86-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-87-0x000001572ADA0000-0x000001572ADB0000-memory.dmp

Filesize
64KB

Download
memory/3516-90-0x000001572AC90000-0x000001572AD92000-memory.dmp

Filesize
1.0MB

Download
memory/3516-91-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-118-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-117-0x00000134AFE00000-0x00000134AFF02000-memory.dmp

Filesize
1.0MB

Download
memory/3668-115-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-194-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-193-0x0000013F74940000-0x0000013F74A42000-memory.dmp

Filesize
1.0MB

Download
memory/3740-191-0x0000013F5C100000-0x0000013F5C110000-memory.dmp

Filesize
64KB

Download
memory/3740-190-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4004-246-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4004-249-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-175-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-177-0x000001E531460000-0x000001E531562000-memory.dmp

Filesize
1.0MB

Download
memory/4160-178-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4172-211-0x000001F8362E0000-0x000001F8362F0000-memory.dmp

Filesize
64KB

Download
memory/4172-210-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4172-213-0x000001F836600000-0x000001F836702000-memory.dmp

Filesize
1.0MB

Download
memory/4172-214-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-363-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-360-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-230-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-231-0x00000120266B0000-0x00000120266C0000-memory.dmp

Filesize
64KB

Download
memory/4740-234-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-147-0x000002C3FBAA0000-0x000002C3FBBA2000-memory.dmp

Filesize
1.0MB

Download
memory/4760-148-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-145-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-286-0x000001B43A5B0000-0x000001B43A5C0000-memory.dmp

Filesize
64KB

Download
memory/4796-285-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-289-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4812-129-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4812-128-0x00000249C1BF0000-0x00000249C1CF2000-memory.dmp

Filesize
1.0MB

Download
memory/4812-126-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4888-379-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download
memory/4888-380-0x00000127A4940000-0x00000127A4950000-memory.dmp

Filesize
64KB

Download
memory/4888-383-0x00007FFD5F210000-0x00007FFD5FCD1000-memory.dmp

Filesize
10.8MB

Download