Overview

overview

10

Static

static

10

a245b51ab7...JC.exe

windows7-x64

10

a245b51ab7...JC.exe

windows10-1703-x64

10

a245b51ab7...JC.exe

windows10-2004-x64

10

a245b51ab7...JC.exe

windows11-21h2-x64

10

Resubmissions

10-04-2024 02:56

240410-dff7kacd24 10

10-04-2024 02:56

240410-de3zyacc96 10

10-04-2024 02:56

240410-de3deaff6t 10

10-04-2024 02:56

240410-de23msff6s 10

09-09-2023 14:35

230909-rx47lsbh52 10

Analysis

  • max time kernel
    1184s
  • max time network
    1199s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-04-2024 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe

  • Size

    119KB

  • MD5

    369204590ce91e77109e21a298753522

  • SHA1

    e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

  • SHA256

    a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

  • SHA512

    bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

  • SSDEEP

    3072:P56Q4BB1q/hJcq4YZRKsySYSLLx9yLjj6TG6WVt9bm+EFyW43LORzMJS/3:Fha6BuQdwLKTGLt9bmhD4q1Mc

Score
10/10
gurcucollectiondiscoveryspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 3 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Executes dropped EXE 40 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 60 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3068
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:5092
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:4244
        • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4476
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp5014.tmp" -C "C:\Users\Admin\AppData\Local\84tnjh4449"
            4⤵
              PID:904
            • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
              "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:4844
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4076
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3816
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3028
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1588
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1040
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2960
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3440
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4592
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:924
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4504
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1772
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3620
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1944
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:984
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:840
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5080
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:988
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:476
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3952
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3116
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1512
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1632
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3632
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:1176
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3520

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdesc-consensus
        Filesize

        2.6MB

        MD5

        8155dd4a16697830a63d507d2666b2a9

        SHA1

        e07a54b15c905cd1d9d41db3ccde3bade36bcdb4

        SHA256

        6b4f443629c32b632d8ad7bcb17d84da1e4eaec556dccdf98c5e9051cb404fed

        SHA512

        0cb6c3fa12cbe7f8e63c5c73c0665fc2593109801ba318c582c4bd1c14dfd27fff3252c22b9078040e743ec788ad9534856c72ca5e38d992d9cb5aeacf819e6f

        Download Submit

      • C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdescs.new
        Filesize

        7.1MB

        MD5

        7d6e4b63300b2cf5941475112d07ad96

        SHA1

        d192c020e4693b0beef4614f920d75571db99c14

        SHA256

        c0f9c4d06bc3b7dda0a90ffc6cb21a262356f1c176d248b702083fe7e1426519

        SHA512

        2bc7ff7c4bd8f9aa403409bf4c1cacc38c181111bdf562e2a5d9bc29428bb8ec4b9a6c6c2cca4f61579fc26376c44baf700d39ed8accac143d8616675197b276

        Download Submit

      • C:\Users\Admin\AppData\Local\84tnjh4449\host\hostname
        Filesize

        64B

        MD5

        bbc077e07218264966fff5816c487c89

        SHA1

        93449320ebb1562cd21a64a1039130ab298e36d5

        SHA256

        8ec98ebac63d93f5c5d575099130b2f739c03ecea27b609ac9efb0425c9ce7fd

        SHA512

        fa0ffd8057573a7b4fc878ca8804a6308f2d3a6bdc0c98412c128e470d18f539659fba03628e0a01d78b2594bea2a94e55f4b2ad6b774a70a3261c2377649222

        Download Submit

      • C:\Users\Admin\AppData\Local\84tnjh4449\port.dat
        Filesize

        4B

        MD5

        73f490f3f868edbcd80b5d3f7cedc403

        SHA1

        71a90f55db81da1a538d0ce6ccdf7d07d2d2e845

        SHA256

        1ab6078431739cd9988f5c8e042389b2616911baa6c034a21b055f0b104b8527

        SHA512

        e78b2c4c4a79c7364ac6a7425043cf6873a9bf0b31eb343ed7ead59e7a58fef754099ae696a8c44bde07164cb5dd48d5f2fb0736bf088471d7939ff27eea6794

        Download Submit

      • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

        Download Submit

      • C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt
        Filesize

        218B

        MD5

        cf637e80f9e9977b98dd767625c23b79

        SHA1

        1f304c40327bd379958a30fc20f11ed21d193a0a

        SHA256

        3f3fb0e8aacf804815ade2477a194d47f823e987826b38d1aad2670e0b31e465

        SHA512

        8ed878d6a6677fe85946df820e9a2645161c6dffaba82ee8a9184be0b32b2fc011564e9dc9176ecc78f0e5adac269f3a779b7967978601af8682fcc33dd26bb2

        Download Submit

      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        Filesize

        119KB

        MD5

        369204590ce91e77109e21a298753522

        SHA1

        e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

        SHA256

        a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

        SHA512

        bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe.log
        Filesize

        847B

        MD5

        486ebddc86ea8b3e965d390d22283a23

        SHA1

        eaffc047f067084867e8575c576a9ec60e094ba8

        SHA256

        50a57273ecb794e53b0622eb841341e2643c11f53fa47356e6e754ab2268171d

        SHA512

        0a50ba02250b38355a6f4fb94e40c61258a74031d9aea7cdf675f3e068f39ec0748ecf292aaf2f94b1963b9d66516ee79aa6c552617048e248774af0ff07189d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        354B

        MD5

        09bfb5f987d252da41ca2fbd6c4d69d1

        SHA1

        893925b9dd3132f388970b866374376270324aeb

        SHA256

        4b88a9ae729dc0b67199a26ed86faeb8e8fa7d288439a67250e24ff71569fdaf

        SHA512

        7eab290ef6b8edccf13e3fb0323aa4d8ebebc5bc02f11e3633de54deffaed2eb7343434942878d99b9af229ca29d72f2d2e90d699f808b85de67b18bfe2901c7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        472B

        MD5

        ecfb038b6806fe8751b4a412978f8d44

        SHA1

        e0c8c49a1046855ce5832c11997aace4f9f678e5

        SHA256

        8a0cec1ab5a44438fae8027f2c7a788ecdb9a86ae4b630eaf3f717dcea30ea9d

        SHA512

        328c2aff188adc02f4578d687348eca20c1ae07e4bb874fb83b73b70b9f11c05274b485481fb5b77792bbe6eb5d7523fa6b5e2066031619e4c3cc21dc7b4a4b2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        590B

        MD5

        b0ceae99297d80ab6cac98912eebd51f

        SHA1

        28a38c826d7a2f9009d50158aff6e39492c9415a

        SHA256

        59dce55aa04f10383e637a998dd6dcdf5bda58327390242dcd2a035ba2aec64a

        SHA512

        0e3b2596e4a97c0d32685074809d52964f0d47afaf8172b09fd546f77c74ea249533e33fcad5ba2dba4fdc757048b2b838f06c79b654cbad46895ea7df0bd270

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        708B

        MD5

        2fef6077860fcd55c4286524a0ebecc0

        SHA1

        70cfbe06284957fdaccbd88cc1d1cfea7dd0c509

        SHA256

        f792529c9791aaf4f990fdd93d6427b09072735c18fbc9171e77aae828703861

        SHA512

        1e8d6a6bde94e18786f4320cfe2a64fc5fb5c7825f5fb2c60fc8b6fa973ec48131263b10c4972b4d8ccaa68080c7f4440a0d89ba540e45ecf9bc573e8fce2c53

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        826B

        MD5

        1fdf64d58a2d0f17d1ee65d6cd6a6e9e

        SHA1

        4a1a1a11661b3488736cce0cb5e7f941524f2df5

        SHA256

        81995ec9b0387decc8375f99cef79057704ca3565c3a893b49e4f8660f94be2a

        SHA512

        1b399ea1e516c4c5d55557b94c771b2fa4eeb429afb5d0b8cf1058ed5c903519e7a730005abf4f64a47bea31e287b28522de357cb4571dd59dc3172a80e9f880

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        944B

        MD5

        0e6750293a3ea9bdf2c5139aeab488e8

        SHA1

        d92761d5c2012567d5a3ddb4d3b692d9cf638e0f

        SHA256

        078680e72977e4872f1bae901ed2b523a86991e3318f34d518dc572e2c4eff7c

        SHA512

        649dfec75876d7cdfc587b27572414e854d3e96d99e2b540219046bfeec9ddaa1749737fce038f03bf65dee8d94d47d84ba789fd55987d950e790069e813e4ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        1KB

        MD5

        e21ad251172f20f8c5b7be61c2f917ef

        SHA1

        c68572bcf774cf359771157823633d075c446964

        SHA256

        89cca0f955ef03e2e3bdd66a7a09c32378d905aea712afa0397896f8591e8da4

        SHA512

        96f359226ca7bc2bf3bce9c48928a49c1013ff11f90f0d0e3682f8f2b1ee0e7b966462bd650463e98fb282259043716371f4f00a13608c3b1f156b4c6d3ec703

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        1KB

        MD5

        9d5ba1b16069f414847c0eca6e4f0722

        SHA1

        0366c724eac3cda8e66d15edf5d0368c8bdcbfdb

        SHA256

        596f08cfa961b167241e54e3f037131371c6acfa5892545dd7899f9c902130d5

        SHA512

        50c4251eb76ebb52efc4cc208b960405a3e0da9e56427349aec9593102ab8c4594b8905edc9f6a8d8469694fe4833f990f70712e62f0809d5239d28b8a92ed22

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        1KB

        MD5

        9f5c1735dc5a017f18a63853b712a08a

        SHA1

        194cede4db4491df757556012646d17dec0900b3

        SHA256

        a0c58326688722a4c52191d8a7cf648f51427943fbc057e8388a7d59483eaa20

        SHA512

        44fe07554f4c442b530ab53a8a4c354f7b80f4fab8dd24133768483f34d51104d0d1d121585908ff7221512879a4d183a6ec92da5ba0bf36625b2e60ab754129

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        1KB

        MD5

        8081287ffdd4343e484408411885afd7

        SHA1

        ed539145693dcd02d7dfd65d0613ca72c9da30af

        SHA256

        40f67d2b560b24dc6a5ff4665edba621bf9b0b4d93b27009b78b33d65eb8446b

        SHA512

        42fa8ee273ce7a366288f1a21e6e73199c2772fda930cb68e3ae87094e2a1ff98206b0ce22ba6d5ebf7a3047b9ead424edc9d7ed370dd0c507a0a85838544c4c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        1KB

        MD5

        3e00aef2501a25e766192df6b98a9084

        SHA1

        789962be7e0c53eede559953a240ee4847838b87

        SHA256

        d36ecdf8060bd6fb1068623f454b5f5f7fb6ccc40443ff66b5657b340442d095

        SHA512

        2a1c2f8fb70ac9cf3d8f5708730f7c171974a65fa65a521de122b71490874cee0e9fde5939ad50737e123377f8ee323a1c6c0fe79a48521c570de742e6c1dedd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        1KB

        MD5

        0ef5b0db03a693bb5c5e14f8320341f8

        SHA1

        65b41909f5273308663f582a19244a23df089c8f

        SHA256

        8e5a5e099e5a4360a2f82efbaa222b16e34175bb2fc630a3077b0628ad3f5ba7

        SHA512

        b15700986d0a7268e04ce021af70ad125e59ae34cd888f6dfea3df6ad9966bc2511899c8de46f825eda6f410aa0332ad69a216729d05eb0ccb119a09c0706b54

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        1KB

        MD5

        1e61b7d6412c5d166aaf383c0a0d1914

        SHA1

        af1d7227c6457cb3dcfbfa2fe81f5b324b241a6f

        SHA256

        c283650e4b9b38c6e53221607528007208d160aa83260332738a2c4af7cb19be

        SHA512

        a00d8408abbb1f79a97713da0e571ad021d6e0b9d4a29359e2a333c3e7bb7fb6bed26b3207099f4607ba9c03b86f5bd615aa7f65a7fec1b43afa4c73d77e3bb9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        1KB

        MD5

        2a14024115582a9b2cd2375163ecc375

        SHA1

        0689de662154b0649b95083d7abf26d8e068d23d

        SHA256

        b5f035e2c46650e78c559229f0831ac74ae3f5c8973fe89ff2d7abf12cc172ff

        SHA512

        c699dcfcf9d26ffdac3bec09f47de422be8bc81c05a576bf0c3b5f30c81bdea4fb5f701aee0638a113cb21e26904ec271bf7e7698c77829441957544c18b2a8e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        1KB

        MD5

        c650cfc40b480cb658fc8a18a6157d2f

        SHA1

        4291d595d17741123ccee572c864667e92a5f421

        SHA256

        c50e88b287261a43a8baa4f5cda9ad5c997e827186c53b10d0d186266fa6ba1a

        SHA512

        b3c6f9b6b796b19b441819eccadb6fe7d4ab0c4ab03dbde6de12a51cdd1a778f8f7753c248a0a45be7df622017f2df10a6fca78bf3c40f487655716d2b90c525

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        2KB

        MD5

        3e4bc9cbd2df1d91ccac98c1c72e4c9a

        SHA1

        eceed8dee3f85f8ef23bf2d312ed2b55a5568c5a

        SHA256

        130f5964bb26b91981fbf35c82af8cd9566b4ad1fe0d1afcadc83ef29c2e1b6a

        SHA512

        1a0459b428d08da426da45a1d440c22711dfee0cfd5b9d06c79257d63bea926b0b9ca921142d4b124cd7119624694a0bd94c893359e0426a2bb8b292f0a26e09

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        118B

        MD5

        5855134462b4b6564ba673753d11cb6b

        SHA1

        35f82a63bc22c1748d03210ac064e392a202dad4

        SHA256

        baad92258be0489f1223d82dbb87164e95614812c3c96af990f6bb54a2d16285

        SHA512

        46b4a4b69be153aefa27d3b87d382f78c25d0d63422bec0da889ed148f2659353fae9d5513f222dde45406df7b9e60e3e8504b9955559b53cfa70ca36650f3fd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp5014.tmp
        Filesize

        13.3MB

        MD5

        89d2d5811c1aff539bb355f15f3ddad0

        SHA1

        5bb3577c25b6d323d927200c48cd184a3e27c873

        SHA256

        b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

        SHA512

        39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

        Download Submit

      • memory/476-260-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/476-256-0x000001F0F0B90000-0x000001F0F0BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/476-255-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/568-298-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/568-294-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/924-171-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/924-175-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1132-226-0x0000021EEFC50000-0x0000021EEFC60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1132-225-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1132-230-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1148-140-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1148-136-0x0000017D79A90000-0x0000017D79AA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1148-135-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1176-309-0x0000026875E10000-0x0000026875E20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1176-312-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1176-308-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1488-125-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1488-129-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1516-52-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1516-0-0x000001C599220000-0x000001C599244000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1516-4-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1772-181-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1772-182-0x0000020A679A0000-0x0000020A679B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1772-186-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1928-284-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1928-280-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1956-106-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1956-107-0x0000019136C60000-0x0000019136C70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1956-111-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2296-211-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2296-215-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2712-104-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2712-100-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2868-157-0x0000025F803F0000-0x0000025F80400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2868-161-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2868-156-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2972-146-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2972-142-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3116-270-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3116-266-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3208-197-0x000001C79F220000-0x000001C79F230000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3208-201-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3208-196-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3552-93-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3552-94-0x000001DBBB7F0000-0x000001DBBB800000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3552-98-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4460-87-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4460-83-0x00000181590E0000-0x00000181590F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4460-82-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4476-72-0x0000016260600000-0x0000016260610000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4476-63-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4476-10-0x0000016260600000-0x0000016260610000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4476-9-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5080-245-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5080-241-0x0000028AF5850000-0x0000028AF5860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5080-240-0x00007FFEC8710000-0x00007FFEC91D2000-memory.dmp

        Filesize

        10.8MB

        Download