Malware Analysis Report

2024-10-23 19:16

Sample ID 230530-nkbsrahf2v
Target whitesnake.exe
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
Tags
gurcu collection spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89

Threat Level: Known bad

The file whitesnake.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer discovery

Gurcu, WhiteSnake

Gurcu family

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Checks computer location settings

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-30 11:26

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-30 11:26

Reported

2023-05-30 12:07

Platform

win7-20230220-en

Max time kernel

116s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\whitesnake.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\whitesnake.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\whitesnake.exe C:\Windows\System32\cmd.exe
PID 1220 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\whitesnake.exe C:\Windows\System32\cmd.exe
PID 1220 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\whitesnake.exe C:\Windows\System32\cmd.exe
PID 1996 wrote to memory of 668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1996 wrote to memory of 668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1996 wrote to memory of 668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1996 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1996 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1996 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1996 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1996 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1996 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1996 wrote to memory of 756 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
PID 1996 wrote to memory of 756 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
PID 1996 wrote to memory of 756 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
PID 1228 wrote to memory of 1548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
PID 1228 wrote to memory of 1548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
PID 1228 wrote to memory of 1548 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
PID 756 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Windows\system32\WerFault.exe
PID 756 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Windows\system32\WerFault.exe
PID 756 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Windows\system32\WerFault.exe
PID 1228 wrote to memory of 1744 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
PID 1228 wrote to memory of 1744 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
PID 1228 wrote to memory of 1744 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\whitesnake.exe

"C:\Users\Admin\AppData\Local\Temp\whitesnake.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "whitesnake" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\whitesnake.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "whitesnake" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

"C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6109A965-2372-4D3D-8625-3189D22BB4A3} S-1-5-21-2961826002-3968192592-354541192-1000:HVMHZIYD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 756 -s 1972

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 github.com udp
IN 20.207.73.82:80 github.com tcp
NL 216.58.214.14:80 youtube.com tcp
IN 20.207.73.82:80 github.com tcp
NL 216.58.214.14:80 youtube.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
IN 20.207.73.82:443 github.com tcp
IN 20.207.73.82:443 github.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
IN 20.207.73.82:443 github.com tcp
IN 20.207.73.82:443 github.com tcp

Files

memory/1220-54-0x0000000000060000-0x00000000000BC000-memory.dmp

memory/1220-55-0x000000001B220000-0x000000001B2A0000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

MD5 aec814bf30dd191b641feef457a718ce
SHA1 96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512 fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

MD5 aec814bf30dd191b641feef457a718ce
SHA1 96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512 fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

memory/756-61-0x0000000000F50000-0x0000000000FAC000-memory.dmp

memory/756-63-0x000000001B2B0000-0x000000001B330000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

MD5 aec814bf30dd191b641feef457a718ce
SHA1 96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512 fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

C:\Users\Admin\AppData\Local\Temp\Cab61D3.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\Local\Temp\Tar61E5.tmp

MD5 73b4b714b42fc9a6aaefd0ae59adb009
SHA1 efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256 c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA512 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar6595.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e2554b3debc878b8abe857f34ff3eac
SHA1 a3a9e29a542d57f048fbb41009991d00982c70f1
SHA256 0ac1672c861b93b725a0f7ec8bc265ce4b7b4ef2b112d807a7844f232d5ed1ca
SHA512 e56e0e798f8edeb9e5e09c78c8bc3e7ad1c68f5128311177848ecec26e1927ba7a7fe79771be0babccfab01b49d41a391a98eb18fa52a49fa4b6023674558a69

memory/756-150-0x000000001B2B0000-0x000000001B330000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

MD5 aec814bf30dd191b641feef457a718ce
SHA1 96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512 fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-30 11:26

Reported

2023-05-30 12:08

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\whitesnake.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\whitesnake.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\whitesnake.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4448 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\whitesnake.exe C:\Windows\System32\cmd.exe
PID 4448 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\whitesnake.exe C:\Windows\System32\cmd.exe
PID 3880 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3880 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3880 wrote to memory of 3540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3880 wrote to memory of 3540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3880 wrote to memory of 4656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3880 wrote to memory of 4656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3880 wrote to memory of 4892 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
PID 3880 wrote to memory of 4892 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe
PID 4892 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Windows\System32\tar.exe
PID 4892 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Windows\System32\tar.exe
PID 1864 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe
PID 1864 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe
PID 4892 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe
PID 4892 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe
PID 3464 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe
PID 3464 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe
PID 4740 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe
PID 4740 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\whitesnake.exe

"C:\Users\Admin\AppData\Local\Temp\whitesnake.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "whitesnake" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\whitesnake.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "whitesnake" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

"C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp7D91.tmp" -C "C:\Users\Admin\AppData\Local\8lxyt4fm8n"

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

"C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\8lxyt4fm8n\torrc.txt"

C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

"C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\8lxyt4fm8n\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 1864 -ip 1864

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1864 -s 2856

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

"C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\8lxyt4fm8n\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 440 -p 3464 -ip 3464

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3464 -s 2032

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

"C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\8lxyt4fm8n\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 512 -p 4740 -ip 4740

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4740 -s 1956

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 youtube.com udp
SK 91.228.166.47:80 eset.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 47.166.228.91.in-addr.arpa udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 google.com udp
DE 159.69.63.226:443 archive.torproject.org tcp
NL 142.250.179.142:80 google.com tcp
NL 216.58.214.14:80 youtube.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 github.com udp
IN 20.207.73.82:80 github.com tcp
IN 20.207.73.82:80 github.com tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
IN 20.207.73.82:443 github.com tcp
IN 20.207.73.82:443 github.com tcp
US 8.8.8.8:53 82.73.207.20.in-addr.arpa udp
IN 20.207.73.82:443 github.com tcp
IN 20.207.73.82:443 github.com tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
IN 20.207.73.82:443 github.com tcp
IN 20.207.73.82:443 github.com tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
IN 20.207.73.82:443 github.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
IN 20.207.73.82:443 github.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
IN 20.207.73.82:443 github.com tcp
US 8.8.8.8:53 openai.com udp
IN 20.207.73.82:80 github.com tcp
IN 20.207.73.82:443 github.com tcp
US 13.107.213.67:80 openai.com tcp
US 8.8.8.8:53 67.213.107.13.in-addr.arpa udp
IN 20.207.73.82:443 github.com tcp
US 13.107.213.67:443 openai.com tcp
NL 216.58.214.14:80 youtube.com tcp
NL 216.58.214.14:80 youtube.com tcp
DE 188.40.147.177:443 tcp
IN 20.207.73.82:80 github.com tcp
IN 20.207.73.82:443 github.com tcp
US 117.18.232.240:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 177.147.40.188.in-addr.arpa udp
GB 145.239.206.31:8001 tcp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 transfer.sh udp
US 104.16.157.132:80 blockchain.com tcp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.156.132:443 www.blockchain.com tcp
US 23.82.136.14:443 tcp
US 51.81.56.74:443 tcp
SE 185.82.126.172:443 tcp
US 8.8.8.8:53 31.206.239.145.in-addr.arpa udp
US 8.8.8.8:53 132.156.16.104.in-addr.arpa udp
US 8.8.8.8:53 132.157.16.104.in-addr.arpa udp
US 8.8.8.8:53 172.126.82.185.in-addr.arpa udp
US 8.8.8.8:53 74.56.81.51.in-addr.arpa udp
US 8.8.8.8:53 14.136.82.23.in-addr.arpa udp
N/A 127.0.0.1:49792 tcp
N/A 127.0.0.1:49805 tcp
IN 20.207.73.82:443 github.com tcp
RU 83.137.50.106:8500 83.137.50.106 tcp
US 8.8.8.8:53 106.50.137.83.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 105.104.123.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pornhub.com udp
US 66.254.114.41:80 pornhub.com tcp
US 8.8.8.8:53 www.pornhub.org udp
US 66.254.114.41:443 www.pornhub.org tcp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 40.125.122.151:443 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 13.107.213.67:80 openai.com tcp
US 13.107.213.67:443 openai.com tcp
DE 144.76.136.153:443 transfer.sh tcp
US 13.107.213.67:80 openai.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 40.79.141.153:443 tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 173.223.113.164:443 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 66.254.114.41:80 www.pornhub.org tcp
US 66.254.114.41:443 www.pornhub.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 66.254.114.41:80 www.pornhub.org tcp
US 8.8.8.8:53 www.pornhub.org udp
US 66.254.114.41:443 www.pornhub.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
SK 91.228.166.47:80 eset.com tcp
US 66.254.114.41:80 www.pornhub.org tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 66.254.114.41:443 www.pornhub.org tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 www.eset.com udp
IN 20.207.73.82:80 github.com tcp
US 8.8.8.8:53 6.d.a.8.b.e.f.b.0.0.0.0.0.0.0.0.4.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa udp
NL 23.72.252.131:443 www.eset.com tcp
DE 144.76.136.153:443 transfer.sh tcp
N/A 127.0.0.1:49946 tcp
US 93.184.221.240:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 66.254.114.41:80 www.pornhub.org tcp
US 66.254.114.41:443 www.pornhub.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 66.254.114.41:80 www.pornhub.org tcp
US 66.254.114.41:443 www.pornhub.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 66.254.114.41:80 www.pornhub.org tcp
US 66.254.114.41:443 www.pornhub.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 66.254.114.41:80 www.pornhub.org tcp
US 66.254.114.41:443 www.pornhub.org tcp
DE 144.76.136.153:443 transfer.sh tcp
SK 91.228.166.47:80 eset.com tcp
NL 216.58.214.14:80 youtube.com tcp
IN 20.207.73.82:80 github.com tcp
NL 142.250.179.142:80 google.com tcp
IN 20.207.73.82:80 github.com tcp
N/A 127.0.0.1:49993 tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp

Files

memory/4448-133-0x00000186F4750000-0x00000186F47AC000-memory.dmp

memory/4448-136-0x00000186F4BA0000-0x00000186F4BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

MD5 aec814bf30dd191b641feef457a718ce
SHA1 96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512 fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

MD5 aec814bf30dd191b641feef457a718ce
SHA1 96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512 fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\whitesnake.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/4892-143-0x000002DDAE180000-0x000002DDAE190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7D91.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

MD5 aec814bf30dd191b641feef457a718ce
SHA1 96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512 fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\8lxyt4fm8n\port.dat

MD5 d3630410c51e60941a9001a46871070e
SHA1 5e9e35e4d3778985fa3ed033259d0b5b2e68c34c
SHA256 61d8c465a85f889fd0d3a1d9d243dfa3fd2ef0282bc59b36499ccc63d92c1b47
SHA512 3da4ac108489cfcc5ab675dde41ad611c653e835666239999833fe26f0ca3095dac6c74a2c8060203655174e5b081fff9213fb134a3a0dfe04b7d41c7d93c5a7

C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

memory/1864-162-0x00000134C8430000-0x00000134C8440000-memory.dmp

C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\8lxyt4fm8n\torrc.txt

MD5 3a83ec78b95b9599062a1b83ea39521e
SHA1 fe8d57da08b3579724f4d464ed4f4202c23e2b5d
SHA256 2e014afc9447f861aab58d65c2eb80acf5daefe62477b02836757726d299e624
SHA512 2a4685019917318e87e75ee98ed47de04f3a1d52350d4a40f7585a2a0575e0113b23f285a7be98d6408a9bc240eb56d6a5dac1da6cbcb9a1b6b16e2c634a335f

C:\Users\Admin\AppData\Local\8lxyt4fm8n\host\hostname

MD5 bb3c2eb0a36e0b538b1e52d39ffa691a
SHA1 b06ae180daf7f7e34628254e5302e6d2cbc428b8
SHA256 61607f44106fac76f7e9c33cbdbe0ddb50b5765af47a4ee4227239ce0dc1c917
SHA512 1c86db877f23587153ea48bb2a88b249f0a79cb4af5eb04f3dc6c2086010625e14467d79734a08896ec4de57f1a9e064678669082b6c237468d26e3e3d5263c4

C:\Users\Admin\AppData\Local\8lxyt4fm8n\data\cached-microdesc-consensus.tmp

MD5 62afa111550d866293bdce98af512bdd
SHA1 4e3e9aa9e83a85c0f65b3ad7266714ea77cbb29e
SHA256 b36daecbb46e063f62321cf5b666062a5085b21fbcedb5f237bea19627b7f782
SHA512 593f2a71121ccc3952034eae19b32f6f9644f5109d1c6573adc9c27bba60195df8bd610420d3d5d674faba0ab79cdb14ce5624a0bc5d59acefebc21ec9af5efd

C:\Users\Admin\AppData\Local\8lxyt4fm8n\data\cached-microdescs.new

MD5 fa6ca6c94728013dd37b3954d48540cf
SHA1 95f7c4dadb967c6ebd5994cd0eb2917eaa4522ae
SHA256 15d7cb5e1a3d36d4d2e97f4502756face670bb2a1b84c84a7f89971ff836b274
SHA512 372d0b93b61420d6f40a7520c92b04009450740c24af2b49b1207f62ef16bebb740ed5ee1a30d230b75b8659b252e4be8fb79f8e30d304d737e04cb5fda20e3e

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

MD5 aec814bf30dd191b641feef457a718ce
SHA1 96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512 fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\Nvidia\whitesnake.exe

MD5 aec814bf30dd191b641feef457a718ce
SHA1 96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512 fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

C:\Users\Admin\AppData\Local\8lxyt4fm8n\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192