Analysis Overview
SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
Threat Level: Known bad
The file 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe was found to be: Known bad.
Malicious Activity Summary
Gurcu family
Gurcu, WhiteSnake
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Checks installed software on the system
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Program crash
Enumerates physical storage devices
Runs ping.exe
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-21 08:31
Signatures
Gurcu family
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-21 08:31
Reported
2023-07-21 08:37
Platform
win10v2004-20230703-en
Max time kernel
372s
Max time network
382s
Command Line
Signatures
Gurcu, WhiteSnake
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
"C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping 127.0.0.1
C:\Windows\system32\schtasks.exe
schtasks /create /tn "2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
"C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"
C:\Windows\System32\tar.exe
"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp30B0.tmp" -C "C:\Users\Admin\AppData\Local\x22nso3f7r"
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 1940 -ip 1940
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1940 -s 2816
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 1672 -ip 1672
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1672 -s 1872
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 2108 -ip 2108
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2108 -s 2192
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 2504 -ip 2504
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2504 -s 2160
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3876 -ip 3876
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3876 -s 1840
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
"C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4792 -ip 4792
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4792 -s 2200
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.kz | udp |
| NL | 142.250.179.132:80 | google.kz | tcp |
| US | 8.8.8.8:53 | 132.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.245.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 2.19.194.66:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 66.194.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cyware.com | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | archive.torproject.org | udp |
| US | 104.244.42.129:80 | twitter.com | tcp |
| US | 15.197.166.200:80 | cyware.com | tcp |
| US | 15.197.166.200:80 | cyware.com | tcp |
| US | 15.197.166.200:443 | cyware.com | tcp |
| US | 104.244.42.129:443 | twitter.com | tcp |
| DE | 159.69.63.226:443 | archive.torproject.org | tcp |
| US | 8.8.8.8:53 | 200.166.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.42.244.104.in-addr.arpa | udp |
| US | 15.197.166.200:443 | cyware.com | tcp |
| US | 8.8.8.8:53 | 226.63.69.159.in-addr.arpa | udp |
| NL | 142.250.179.132:80 | google.kz | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 15.197.166.200:443 | cyware.com | tcp |
| US | 15.197.166.200:443 | cyware.com | tcp |
| US | 15.197.166.200:443 | cyware.com | tcp |
| US | 8.8.8.8:53 | youtube.kz | udp |
| NL | 142.251.39.110:80 | youtube.kz | tcp |
| US | 8.8.8.8:53 | 110.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:58617 | tcp | |
| US | 51.81.208.164:443 | tcp | |
| CH | 140.238.218.94:8080 | 140.238.218.94 | tcp |
| DE | 46.235.26.83:8080 | 46.235.26.83 | tcp |
| US | 8.8.8.8:53 | 164.208.81.51.in-addr.arpa | udp |
| DE | 168.119.121.16:8080 | tcp | |
| IS | 93.95.230.85:443 | tcp | |
| US | 8.8.8.8:53 | 94.218.238.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.26.235.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.230.95.93.in-addr.arpa | udp |
| US | 162.251.116.26:443 | tcp | |
| BZ | 94.156.175.85:9001 | tcp | |
| PL | 95.214.53.216:8443 | tcp | |
| US | 8.8.8.8:53 | 216.53.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.116.251.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.175.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| GB | 51.77.125.62:8080 | tcp | |
| US | 8.8.8.8:53 | cybereason.com | udp |
| US | 45.60.62.106:80 | cybereason.com | tcp |
| US | 15.197.166.200:80 | cyware.com | tcp |
| US | 8.8.8.8:53 | www.cybereason.com | udp |
| US | 15.197.166.200:443 | cyware.com | tcp |
| US | 8.8.8.8:53 | blog.cyble.com | udp |
| US | 192.0.78.213:80 | blog.cyble.com | tcp |
| US | 45.60.62.106:80 | www.cybereason.com | tcp |
| US | 192.0.78.213:443 | blog.cyble.com | tcp |
| US | 45.60.62.106:443 | www.cybereason.com | tcp |
| US | 8.8.8.8:53 | 106.62.60.45.in-addr.arpa | udp |
| N/A | 127.0.0.1:58682 | tcp | |
| US | 8.8.8.8:53 | 213.78.0.192.in-addr.arpa | udp |
| FR | 185.189.159.121:8001 | tcp | |
| FI | 65.21.49.163:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.99.62.23.in-addr.arpa | udp |
| DE | 167.86.115.218:9090 | tcp | |
| FR | 46.226.106.173:8080 | 46.226.106.173 | tcp |
| NL | 142.250.179.132:80 | google.kz | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.106.226.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:58721 | tcp | |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 15.197.166.200:80 | cyware.com | tcp |
| US | 15.197.166.200:443 | cyware.com | tcp |
| N/A | 127.0.0.1:58735 | tcp | |
| US | 45.60.62.106:80 | www.cybereason.com | tcp |
| US | 8.8.8.8:53 | www.cybereason.com | udp |
| US | 45.60.62.106:80 | www.cybereason.com | tcp |
| US | 45.60.62.106:443 | www.cybereason.com | tcp |
| N/A | 127.0.0.1:58743 | tcp | |
| N/A | 127.0.0.1:58754 | tcp | |
| US | 8.8.8.8:53 | cyware.com | udp |
| US | 15.197.166.200:80 | cyware.com | tcp |
| US | 15.197.166.200:443 | cyware.com | tcp |
| N/A | 127.0.0.1:58770 | tcp |
Files
memory/4340-133-0x00000171AF2B0000-0x00000171AF34A000-memory.dmp
memory/4340-134-0x00007FFA4E160000-0x00007FFA4EC21000-memory.dmp
memory/4340-135-0x00000171C99E0000-0x00000171C99F0000-memory.dmp
memory/4340-139-0x00007FFA4E160000-0x00007FFA4EC21000-memory.dmp
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
| MD5 | fdb8081ac26d8de3f7582b2616bcf3e8 |
| SHA1 | c46856c1394a0b36f7826285db0d72ae494f15f0 |
| SHA256 | 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98 |
| SHA512 | 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98 |
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
| MD5 | fdb8081ac26d8de3f7582b2616bcf3e8 |
| SHA1 | c46856c1394a0b36f7826285db0d72ae494f15f0 |
| SHA256 | 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98 |
| SHA512 | 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe.log
| MD5 | fc1be6f3f52d5c841af91f8fc3f790cb |
| SHA1 | ac79b4229e0a0ce378ae22fc6104748c5f234511 |
| SHA256 | 6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910 |
| SHA512 | 2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6 |
memory/1132-144-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
memory/1132-145-0x0000022168C60000-0x0000022168C70000-memory.dmp
memory/1132-148-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp30B0.tmp
| MD5 | 89d2d5811c1aff539bb355f15f3ddad0 |
| SHA1 | 5bb3577c25b6d323d927200c48cd184a3e27c873 |
| SHA256 | b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12 |
| SHA512 | 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289 |
memory/1132-161-0x0000022168C60000-0x0000022168C70000-memory.dmp
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
| MD5 | 88590909765350c0d70c6c34b1f31dd2 |
| SHA1 | 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7 |
| SHA256 | 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82 |
| SHA512 | a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192 |
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
| MD5 | 88590909765350c0d70c6c34b1f31dd2 |
| SHA1 | 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7 |
| SHA256 | 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82 |
| SHA512 | a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192 |
C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt
| MD5 | 46d0944bd9d27f02bf292ffe0d53192b |
| SHA1 | 1360c2e7bec6f60535e94f0688ea857e2f7c9438 |
| SHA256 | 73a86944304f8b868250c5107cceb883b0e90d1118ef8808bd33b43d3c7a7646 |
| SHA512 | a21ec2d8819b9f72fbef982452b889842316e97407c0e5d91697dace3986a56c09f05db676efca6afa923e4c075dab4b2407bcd91671849f884756c553cf5e8e |
C:\Users\Admin\AppData\Local\x22nso3f7r\host\hostname
| MD5 | b123bc958adab8ad33c642a48c01e463 |
| SHA1 | 4b404c3f48f7f618b746cd44eedab693fa217fe4 |
| SHA256 | 18c28904e0703012836765c5d42a3b0bc2585f352858a669c8df14c48015cb70 |
| SHA512 | 1f41c4fa4af1510b1a65823c8b390fc0067131aa708a05d35ca944fd5368dc42ead15e4ce23f987635df3f7c89653f68e094740ab7beb088a5b37842524b3f15 |
C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdesc-consensus.tmp
| MD5 | d5a455e55c380c0d6851ce1f0f2b2866 |
| SHA1 | bb9ca92d3ee60963326368b298e8c0b9d84c4624 |
| SHA256 | b8b8c31f3906ff13a489f0ec8b32c13ea79cf412d51acf595e93b0bc54fa9b49 |
| SHA512 | 322dedfee1c64eca986bb43dd41cf63c670756e24bce8d4516332e679e4c89f959ce5b8749601b802b88ec2d7173a6945c935faafdeaf9ef04e9582bf677128e |
C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdescs.new
| MD5 | 2022238a16ca0b4b07c799cec50d1eca |
| SHA1 | fe30e4e3de0e454d195ab6fc00b38edb28ec509b |
| SHA256 | cccd22b9181d6a5644f60bf1462dbaba75655d94e1831410c0d6e3dad5fc37e1 |
| SHA512 | 38015e447aea18f57653fd0b4bfb046b12c658145794892d638987893c95e8f4b666f711424917d0381fa1ba13d88ffa1e0c0d3f2bb81f7f959f9a84c11f7e47 |
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
| MD5 | fdb8081ac26d8de3f7582b2616bcf3e8 |
| SHA1 | c46856c1394a0b36f7826285db0d72ae494f15f0 |
| SHA256 | 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98 |
| SHA512 | 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98 |
memory/1940-207-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
memory/1940-208-0x000001BD20A70000-0x000001BD20A80000-memory.dmp
C:\Users\Admin\AppData\Local\x22nso3f7r\port.dat
| MD5 | db5cea26ca37aa09e5365f3e7f5dd9eb |
| SHA1 | b30836d8dce06d547fbb3f470f8c46c0929fd64c |
| SHA256 | 468344ce1f2e74f3f5233c3be814c0ae4a90e12b7c4b6524883870110f7ac89a |
| SHA512 | ad69a69cc2108dc26ff9285debdfae6c5eeafbb529618bca6e523a1657808e67d9601a3c9814adc29b044d357c607382e60ec4be1b51cdb26c0d9b68eec7011c |
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
| MD5 | 88590909765350c0d70c6c34b1f31dd2 |
| SHA1 | 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7 |
| SHA256 | 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82 |
| SHA512 | a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192 |
memory/1940-211-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
| MD5 | fdb8081ac26d8de3f7582b2616bcf3e8 |
| SHA1 | c46856c1394a0b36f7826285db0d72ae494f15f0 |
| SHA256 | 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98 |
| SHA512 | 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98 |
memory/1672-222-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
| MD5 | 88590909765350c0d70c6c34b1f31dd2 |
| SHA1 | 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7 |
| SHA256 | 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82 |
| SHA512 | a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192 |
memory/1672-224-0x000001B1F6750000-0x000001B1F68BA000-memory.dmp
memory/1672-225-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
| MD5 | fdb8081ac26d8de3f7582b2616bcf3e8 |
| SHA1 | c46856c1394a0b36f7826285db0d72ae494f15f0 |
| SHA256 | 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98 |
| SHA512 | 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98 |
memory/2108-227-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
| MD5 | 88590909765350c0d70c6c34b1f31dd2 |
| SHA1 | 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7 |
| SHA256 | 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82 |
| SHA512 | a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192 |
memory/2108-229-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
| MD5 | fdb8081ac26d8de3f7582b2616bcf3e8 |
| SHA1 | c46856c1394a0b36f7826285db0d72ae494f15f0 |
| SHA256 | 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98 |
| SHA512 | 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98 |
memory/2504-231-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
| MD5 | 88590909765350c0d70c6c34b1f31dd2 |
| SHA1 | 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7 |
| SHA256 | 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82 |
| SHA512 | a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192 |
memory/2504-233-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
| MD5 | fdb8081ac26d8de3f7582b2616bcf3e8 |
| SHA1 | c46856c1394a0b36f7826285db0d72ae494f15f0 |
| SHA256 | 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98 |
| SHA512 | 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98 |
memory/3876-239-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
| MD5 | 88590909765350c0d70c6c34b1f31dd2 |
| SHA1 | 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7 |
| SHA256 | 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82 |
| SHA512 | a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192 |
memory/3876-241-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
| MD5 | fdb8081ac26d8de3f7582b2616bcf3e8 |
| SHA1 | c46856c1394a0b36f7826285db0d72ae494f15f0 |
| SHA256 | 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98 |
| SHA512 | 0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98 |
memory/4792-251-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
| MD5 | 88590909765350c0d70c6c34b1f31dd2 |
| SHA1 | 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7 |
| SHA256 | 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82 |
| SHA512 | a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192 |
memory/4792-253-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp