gurcu | 27ba6d686db735916061498a56b3a43e4791ee455fabf4caed05db1929f28e6b

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Size

490KB
MD5

a338043c6b5260df6b7ce4c4ec3d1b80
SHA1

087a787a34ee05478bfa07b50fd39c8367b0a157
SHA256

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50
SHA512

c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf
SSDEEP

6144:/6ho3IhHN5ya1R64TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tw39b5wGuJB:irhtHxpmWHgf8Y6/Qp1nLiDKIwf

Score

10^/10

gurcu collection discovery spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6104192483:AAFCcnr4FR2XCO83zUSAWWZ9J3qw4tRYQoI/sendMessage?chat_id=2076277850

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2872	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
1720	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
2936	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
604	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 12 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2876	cmd.exe
2584	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2584	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2872	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
1720	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
2936	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
604	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Token: SeDebugPrivilege	2872	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Token: SeDebugPrivilege	1720	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Token: SeDebugPrivilege	2936	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Token: SeDebugPrivilege	604	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2876	2892	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	30
PID 2892 wrote to memory of 2876	2892	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	30
PID 2892 wrote to memory of 2876	2892	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	30
PID 2876 wrote to memory of 2148	2876	cmd.exe	32
PID 2876 wrote to memory of 2148	2876	cmd.exe	32
PID 2876 wrote to memory of 2148	2876	cmd.exe	32
PID 2876 wrote to memory of 2584	2876	cmd.exe	33
PID 2876 wrote to memory of 2584	2876	cmd.exe	33
PID 2876 wrote to memory of 2584	2876	cmd.exe	33
PID 2876 wrote to memory of 2792	2876	cmd.exe	34
PID 2876 wrote to memory of 2792	2876	cmd.exe	34
PID 2876 wrote to memory of 2792	2876	cmd.exe	34
PID 2876 wrote to memory of 2872	2876	cmd.exe	35
PID 2876 wrote to memory of 2872	2876	cmd.exe	35
PID 2876 wrote to memory of 2872	2876	cmd.exe	35
PID 2872 wrote to memory of 740	2872	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	36
PID 2872 wrote to memory of 740	2872	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	36
PID 2872 wrote to memory of 740	2872	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	36
PID 1736 wrote to memory of 1720	1736	taskeng.exe	39
PID 1736 wrote to memory of 1720	1736	taskeng.exe	39
PID 1736 wrote to memory of 1720	1736	taskeng.exe	39
PID 1720 wrote to memory of 1888	1720	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	41
PID 1720 wrote to memory of 1888	1720	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	41
PID 1720 wrote to memory of 1888	1720	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	41
PID 1736 wrote to memory of 2936	1736	taskeng.exe	42
PID 1736 wrote to memory of 2936	1736	taskeng.exe	42
PID 1736 wrote to memory of 2936	1736	taskeng.exe	42
PID 2936 wrote to memory of 1040	2936	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	43
PID 2936 wrote to memory of 1040	2936	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	43
PID 2936 wrote to memory of 1040	2936	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	43
PID 1736 wrote to memory of 604	1736	taskeng.exe	44
PID 1736 wrote to memory of 604	1736	taskeng.exe	44
PID 1736 wrote to memory of 604	1736	taskeng.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
"C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
  2⤵
  - Deletes itself
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2148
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2584
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- - C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
    "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2872 -s 3396
      4⤵
      PID:740

C:\Windows\system32\taskeng.exe
taskeng.exe {2F81E455-BF3E-410F-8FB4-B6D6561780D7} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
  C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1720 -s 3524
    3⤵
    PID:1888
- C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
  C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2936 -s 3564
    3⤵
    PID:1040
- C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
  C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c3da3d8f124c52e2c97443847535c4e

SHA1
4c3b9e10c4e6f98c7582d5f20a00472fe062c559

SHA256
4ddbacd4387dad4728009e25c970566cc95aa447472ffaec23af8d499e792903

SHA512
4f3167c7f633f061b1d74309a74adeff05729d102681663e73bb410c8060c4a7301f3e9554ea63d9211b6809104ee31d57eaa9dc1159d6db884887fede33a345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe23dd364ac7b2dbf173187d482b762d

SHA1
bc12a797091f1b0746db3ac10860b75fe85b161e

SHA256
8f34a9d1b0340667d910f1eb7f2b49b3352d66cf972e0a2feb28e1fefbcbc082

SHA512
29517ad2254a6c1e1ef0e7612eb831279ddfb6532734e56a6866dce470afcc805c6752b481de615528b321afadd9bbc12a2ca07ae46acacf1504cb3166896e97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b70a2ce9fd276768da60f3abb6362dd

SHA1
d99e05b2141c3aedfed52b1155a882dfb8c4c84c

SHA256
c6911af5c53072b61c01579210b4af8d94052972234f98f9e5e76fa87da55185

SHA512
071886abcd191ddaab3084351f1e3fec4094c309c6a63680b6fba2637e82ba1522afabc8cf0da39a45a039fe88c34fa3ba2df74c8d5cf598be53d4431080c01e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74cd2fdbf2016c307eff6fcbfdd9a702

SHA1
6c0b62e85157cd90e1ae6d24785afa8b4166faab

SHA256
acd9766c35c75c1b5f10ee7202c36694d1c7576fa4fd61e3206d0ecf92f83cef

SHA512
5d208aca32f5fe2119c5ff27bb87130bb2726a56af5ce6dc56cd5a7b4bb967f053e53ec5abf7e88377c23c21690a3937ae2a2911542d4bdafda907e8daf3aba0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65cfb4acee37ec84a970f34047b67499

SHA1
b23597bacfa82c24c9223f9bc47c77610e6938db

SHA256
05c5bf777e998004947c4eeeed94ecb64d2d79b5c37784514a0834b97c9bd9fc

SHA512
6668dc029fb6bf94ee3365c240ad21ca148b8758509e4ca627d1d24dcc8bc63b0f7a7735437814a9a3df1b02ba7a53bdd14aa10e6fc507567defab76a8d06e71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
131e78fdf554721d6b686e0e8f09b8f9

SHA1
c08e8c826a9fa1b32b648896b5725e86c4c63ef0

SHA256
77e32feec46fad61413f929d2ca8d935717d6faf9d4f19cf7bab04ad78646f58

SHA512
689ad2d5bf96a04c8b31061ec9d31b88613f2258bc7067655997a55d9bd5c159045479fd736afd97bc29610270937febb32310494fe53a401eb1be3dae290fd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb710e1fb55a0cccc5c7997c52d01072

SHA1
9a59c158d31cd7b3038b39a934d41cf3495560dd

SHA256
ee656d8938eedf9f12763b8ecafc76ba5e75a3ad79d3e2271a7bf603c3192249

SHA512
21041e174447f7829b36d1bdd064ab78f23421cd057ae5c588ccd2b9b66ae9658c3b299e4eeb735962af082cd1af8c295de4d4ae244ba950226b468b0c610ca8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47cfa176d9947db2dd686bfc1c01d876

SHA1
5a3136c825c0a5389efc448759f123ac38de4f27

SHA256
40b34026ec67eb690279b99dcaf6c0176c2f9fe16ff49e7aa1fccf479bb57af9

SHA512
a40cb2952b3443081ac790cbf299ab1b23c12e5409efbba7859213b82e0d78f9e542d6b6a984761bade6086716f13d032b6dc382972dc14d9f187a0b0b9e5340

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7802e2c079c07a18299c703e46392d98

SHA1
5a2c4b252173feb37645f6c66f6a4b1da2c8441a

SHA256
489b7964591b4d93fdd6f0c0a66440aca60d68a7298d94b33e42513c5770b760

SHA512
9bfd016c4083d6f5f4d56156f0a2dba41dc499c378bf1a8c005591d5ae97257a94dd0411e981069e5c43097a8ccb2c2340efb6dd68b841fbbb009ad050f7bfee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da592c055289ef236ea2694f2053609b

SHA1
dde49d9e7112d7df275cee085f1ebdb8784f6b23

SHA256
c1808d86234c8f40742b42df73a7136836dee554fb2e0aaebcc5de7f640a4680

SHA512
d8e35a2763123505acf71098628422c0c2cf7491821670b07830f3ee5e76536ec02e53635dfbce7a55c4f6fefee0690d95ee92463a047529018872871f369928

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82e1ea92e2b6ea93d73207a0064bee9e

SHA1
e439fe45d05417c7d0849cd6b6e3124f5efd1fe4

SHA256
0d5400f98227af12e72af51c3a29f28c4f3cfa1165d7559483b6930454755464

SHA512
6f531a5f2c33993d2f35ea98f1d78a625ff173e5c9c6f825677e6a3dfadef1382c9961a587fe737984f8dc09966da8d28159180d2c356ebf09c28449cb1dba13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8eba528f36eff5f3598afc7380817a7d

SHA1
26964fde2dab1717477185c190d1e14c2de99f84

SHA256
6afd42b06defdc62f8507ab492727fc2e0237fd14cdd5f9be05cd2797ae99745

SHA512
81a0d9938a39e871702c0fc551c5cf7e614d7f1e56c4ec9c3f8bacad73f1f04b127e9eba67736ab0c4d95bcccc7f02ba2160e1020195a6ec6159656b4aa82de7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4eb279ba015d246ad572383575cfbf08

SHA1
f1458bbd0aaf3aeab6b22e207053120f64ac83b0

SHA256
bb58871302a9122a8f515f01b0a7a64d445ffdac1853461f849205276568e6d9

SHA512
a7a58b967c701c5a1646c57af0c6b2b4b52bbdb41f38803e518ea7aa7d2a65ea38d91396e9479abff3444c7327c2ac1db5ade5c942fb32c27b234a79c79290b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1a12a696f2201fdfa849bf411a1285a

SHA1
32e0e5bc856fe5570dd23595cd9ccd70941e42e8

SHA256
6b7f43e7adf9b65662c696402e86becff8e797194d429f9ffb150093a038eba6

SHA512
d083bf8406fd911ad1cd2f6d444db84623572b64297373d81bbca249515d7942636704627dab8cf6ae552772f87c1e42ba45a5f6f9d033b206d114bf401b8afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42aa4488773148eaa902092ab69ae48c

SHA1
4bb3d71a5b0eb3a82e0fc9670e77604c6bb34f23

SHA256
0d32d10d535add6bb1a2b15e0af38f478b568581c68607d9b57acffd703763aa

SHA512
8ae4f0a33ea36740d1c87fd7651eaad5e1186c8d0174906670a0ed4dc9dec72089fcd3b53ae77275398811cca1518632def806f985af6ef7a13284fa3bb93b13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50be1b2e9f3552184e8dc3c307c7ed28

SHA1
1faf515266b55d6a28298290cfe07d2eb8bb3d93

SHA256
cfc3aed1e06f3eddef5caf8f9b8ce2ac70adfa9e74b46b6e73287ed8aad42aaf

SHA512
72de5f4cd9c7459d1e3331a493dc8f51023c8f15c212eb5ceadef9bba2d472f8accfdbfd6d7cd1fa0e61efc8cbec49bf5e433411e6c8c76ae272b7b1f1386fbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f011dcc029a068c5e8ee938282e82ac

SHA1
88e7c4071692ea9c9ad45899e2f8e23b26177de5

SHA256
48590abd4611486bcd34ad8ca9ec6760ff7f6e53a9273f9df095f78a8714adb8

SHA512
9cc65c34a19d6e112e4cf6a2ca1d458a9c4c60249ff9a516ea9b763b23b831748ee853b5028c05ad15dc7e757cb839ea377813a8c72bbede0452f57818866412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a574f9943c8de24d65682bbe329feb1

SHA1
da82a99186ba07cf411ad1921d36985d2aef7e9f

SHA256
1543700bbe963ef21c6d8a18be934c6e7f5537f04c928aab3cf69f9fef4d3301

SHA512
f5d6ca4a35bc926724cdc5e26170b650fb6c686ecac63baded1be7db8e84a7e8fbcaaaa0dd991bb594754fb1fd49b7d9139f2f9d4551982025f775cc1d05ba7b

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Filesize
490KB

MD5
a338043c6b5260df6b7ce4c4ec3d1b80

SHA1
087a787a34ee05478bfa07b50fd39c8367b0a157

SHA256
f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

SHA512
c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9C52.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9D4F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\y5aox5pi99\port.dat

Filesize
4B

MD5
cb953f6ca5923f7517125db46ed1293d

SHA1
30d49ba7c734e5ae820abe560bbef4120867d4cb

SHA256
77c929f89b86b56345c2b17e7af8f24cc3968b8a1a65a90d6011cddb630dab42

SHA512
ddc673d34dfebd0b093ce0a440f84fbccf20c2f3d3e39ab5b05fccfa5bcb7399cceda8f685ffcd4a26312a6ffd3393d5c57d755b1d2e3b9db3fa13d6daa00990

Download Submit
memory/604-1155-0x00000000012A0000-0x0000000001320000-memory.dmp

Filesize
512KB

Download
memory/1720-306-0x0000000001290000-0x0000000001310000-memory.dmp

Filesize
512KB

Download
memory/2872-9-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/2892-0-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

Filesize
4KB

Download
memory/2892-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2892-1-0x0000000001250000-0x00000000012D0000-memory.dmp

Filesize
512KB

Download
memory/2892-5-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download