Malware Analysis Report

2024-10-23 19:16

Sample ID 230721-kepkwacg22
Target 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
Tags
gurcu collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

Threat Level: Known bad

The file 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection discovery spyware stealer

Gurcu family

Gurcu, WhiteSnake

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Program crash

Enumerates physical storage devices

Runs ping.exe

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-21 08:31

Signatures

Gurcu family

gurcu

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-21 08:31

Reported

2023-07-21 08:37

Platform

win10v2004-20230703-en

Max time kernel

372s

Max time network

382s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4340 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Windows\System32\cmd.exe
PID 4340 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Windows\System32\cmd.exe
PID 4444 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4444 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4444 wrote to memory of 4248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4444 wrote to memory of 4248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4444 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4444 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4444 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
PID 4444 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
PID 1132 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Windows\System32\tar.exe
PID 1132 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Windows\System32\tar.exe
PID 1132 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 1132 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 1940 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 1940 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 1672 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 1672 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 2108 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 2108 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 2504 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 2504 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 3876 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 3876 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 4792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
PID 4792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

"C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp30B0.tmp" -C "C:\Users\Admin\AppData\Local\x22nso3f7r"

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 428 -p 1940 -ip 1940

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1940 -s 2816

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 384 -p 1672 -ip 1672

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1672 -s 1872

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 512 -p 2108 -ip 2108

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2108 -s 2192

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 420 -p 2504 -ip 2504

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2504 -s 2160

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 3876 -ip 3876

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3876 -s 1840

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 516 -p 4792 -ip 4792

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4792 -s 2200

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 google.kz udp
NL 142.250.179.132:80 google.kz tcp
US 8.8.8.8:53 132.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 155.245.36.23.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 2.19.194.66:443 assets.msn.com tcp
US 8.8.8.8:53 66.194.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 cyware.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 104.244.42.129:80 twitter.com tcp
US 15.197.166.200:80 cyware.com tcp
US 15.197.166.200:80 cyware.com tcp
US 15.197.166.200:443 cyware.com tcp
US 104.244.42.129:443 twitter.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 200.166.197.15.in-addr.arpa udp
US 8.8.8.8:53 129.42.244.104.in-addr.arpa udp
US 15.197.166.200:443 cyware.com tcp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
NL 142.250.179.132:80 google.kz tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 15.197.166.200:443 cyware.com tcp
US 15.197.166.200:443 cyware.com tcp
US 15.197.166.200:443 cyware.com tcp
US 8.8.8.8:53 youtube.kz udp
NL 142.251.39.110:80 youtube.kz tcp
US 8.8.8.8:53 110.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
N/A 127.0.0.1:58617 tcp
US 51.81.208.164:443 tcp
CH 140.238.218.94:8080 140.238.218.94 tcp
DE 46.235.26.83:8080 46.235.26.83 tcp
US 8.8.8.8:53 164.208.81.51.in-addr.arpa udp
DE 168.119.121.16:8080 tcp
IS 93.95.230.85:443 tcp
US 8.8.8.8:53 94.218.238.140.in-addr.arpa udp
US 8.8.8.8:53 83.26.235.46.in-addr.arpa udp
US 8.8.8.8:53 85.230.95.93.in-addr.arpa udp
US 162.251.116.26:443 tcp
BZ 94.156.175.85:9001 tcp
PL 95.214.53.216:8443 tcp
US 8.8.8.8:53 216.53.214.95.in-addr.arpa udp
US 8.8.8.8:53 26.116.251.162.in-addr.arpa udp
US 8.8.8.8:53 85.175.156.94.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
GB 51.77.125.62:8080 tcp
US 8.8.8.8:53 cybereason.com udp
US 45.60.62.106:80 cybereason.com tcp
US 15.197.166.200:80 cyware.com tcp
US 8.8.8.8:53 www.cybereason.com udp
US 15.197.166.200:443 cyware.com tcp
US 8.8.8.8:53 blog.cyble.com udp
US 192.0.78.213:80 blog.cyble.com tcp
US 45.60.62.106:80 www.cybereason.com tcp
US 192.0.78.213:443 blog.cyble.com tcp
US 45.60.62.106:443 www.cybereason.com tcp
US 8.8.8.8:53 106.62.60.45.in-addr.arpa udp
N/A 127.0.0.1:58682 tcp
US 8.8.8.8:53 213.78.0.192.in-addr.arpa udp
FR 185.189.159.121:8001 tcp
FI 65.21.49.163:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 91.99.62.23.in-addr.arpa udp
DE 167.86.115.218:9090 tcp
FR 46.226.106.173:8080 46.226.106.173 tcp
NL 142.250.179.132:80 google.kz tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 173.106.226.46.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
N/A 127.0.0.1:58721 tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 15.197.166.200:80 cyware.com tcp
US 15.197.166.200:443 cyware.com tcp
N/A 127.0.0.1:58735 tcp
US 45.60.62.106:80 www.cybereason.com tcp
US 8.8.8.8:53 www.cybereason.com udp
US 45.60.62.106:80 www.cybereason.com tcp
US 45.60.62.106:443 www.cybereason.com tcp
N/A 127.0.0.1:58743 tcp
N/A 127.0.0.1:58754 tcp
US 8.8.8.8:53 cyware.com udp
US 15.197.166.200:80 cyware.com tcp
US 15.197.166.200:443 cyware.com tcp
N/A 127.0.0.1:58770 tcp

Files

memory/4340-133-0x00000171AF2B0000-0x00000171AF34A000-memory.dmp

memory/4340-134-0x00007FFA4E160000-0x00007FFA4EC21000-memory.dmp

memory/4340-135-0x00000171C99E0000-0x00000171C99F0000-memory.dmp

memory/4340-139-0x00007FFA4E160000-0x00007FFA4EC21000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe.log

MD5 fc1be6f3f52d5c841af91f8fc3f790cb
SHA1 ac79b4229e0a0ce378ae22fc6104748c5f234511
SHA256 6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910
SHA512 2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

memory/1132-144-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

memory/1132-145-0x0000022168C60000-0x0000022168C70000-memory.dmp

memory/1132-148-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp30B0.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

memory/1132-161-0x0000022168C60000-0x0000022168C70000-memory.dmp

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt

MD5 46d0944bd9d27f02bf292ffe0d53192b
SHA1 1360c2e7bec6f60535e94f0688ea857e2f7c9438
SHA256 73a86944304f8b868250c5107cceb883b0e90d1118ef8808bd33b43d3c7a7646
SHA512 a21ec2d8819b9f72fbef982452b889842316e97407c0e5d91697dace3986a56c09f05db676efca6afa923e4c075dab4b2407bcd91671849f884756c553cf5e8e

C:\Users\Admin\AppData\Local\x22nso3f7r\host\hostname

MD5 b123bc958adab8ad33c642a48c01e463
SHA1 4b404c3f48f7f618b746cd44eedab693fa217fe4
SHA256 18c28904e0703012836765c5d42a3b0bc2585f352858a669c8df14c48015cb70
SHA512 1f41c4fa4af1510b1a65823c8b390fc0067131aa708a05d35ca944fd5368dc42ead15e4ce23f987635df3f7c89653f68e094740ab7beb088a5b37842524b3f15

C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdesc-consensus.tmp

MD5 d5a455e55c380c0d6851ce1f0f2b2866
SHA1 bb9ca92d3ee60963326368b298e8c0b9d84c4624
SHA256 b8b8c31f3906ff13a489f0ec8b32c13ea79cf412d51acf595e93b0bc54fa9b49
SHA512 322dedfee1c64eca986bb43dd41cf63c670756e24bce8d4516332e679e4c89f959ce5b8749601b802b88ec2d7173a6945c935faafdeaf9ef04e9582bf677128e

C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdescs.new

MD5 2022238a16ca0b4b07c799cec50d1eca
SHA1 fe30e4e3de0e454d195ab6fc00b38edb28ec509b
SHA256 cccd22b9181d6a5644f60bf1462dbaba75655d94e1831410c0d6e3dad5fc37e1
SHA512 38015e447aea18f57653fd0b4bfb046b12c658145794892d638987893c95e8f4b666f711424917d0381fa1ba13d88ffa1e0c0d3f2bb81f7f959f9a84c11f7e47

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

memory/1940-207-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

memory/1940-208-0x000001BD20A70000-0x000001BD20A80000-memory.dmp

C:\Users\Admin\AppData\Local\x22nso3f7r\port.dat

MD5 db5cea26ca37aa09e5365f3e7f5dd9eb
SHA1 b30836d8dce06d547fbb3f470f8c46c0929fd64c
SHA256 468344ce1f2e74f3f5233c3be814c0ae4a90e12b7c4b6524883870110f7ac89a
SHA512 ad69a69cc2108dc26ff9285debdfae6c5eeafbb529618bca6e523a1657808e67d9601a3c9814adc29b044d357c607382e60ec4be1b51cdb26c0d9b68eec7011c

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

memory/1940-211-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

memory/1672-222-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

memory/1672-224-0x000001B1F6750000-0x000001B1F68BA000-memory.dmp

memory/1672-225-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

memory/2108-227-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

memory/2108-229-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

memory/2504-231-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

memory/2504-233-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

memory/3876-239-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

memory/3876-241-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

MD5 fdb8081ac26d8de3f7582b2616bcf3e8
SHA1 c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

memory/4792-251-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

memory/4792-253-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp