Malware Analysis Report

2024-10-19 06:43

Sample ID 230908-lr59tsae98
Target 369204590CE91E77109E21A298753522.exe
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
Tags
gurcu collection spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

Threat Level: Known bad

The file 369204590CE91E77109E21A298753522.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer discovery

Gurcu family

Detect Gurcu Stealer V3 payload

Gurcu, WhiteSnake

Reads user/profile data of web browsers

Deletes itself

Checks computer location settings

Executes dropped EXE

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks installed software on the system

Enumerates physical storage devices

Program crash

Unsigned PE

outlook_win_path

Runs ping.exe

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

outlook_office_path

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-08 09:46

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-08 09:46

Reported

2023-09-08 09:49

Platform

win7-20230831-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 3024 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 3024 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 2768 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2768 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2768 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2768 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2768 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2768 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2768 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2768 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2768 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2768 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2768 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2768 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2668 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2668 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2668 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 692 wrote to memory of 564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 692 wrote to memory of 564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 692 wrote to memory of 564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 564 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 564 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 564 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2668 -s 3112

C:\Windows\system32\taskeng.exe

taskeng.exe {E392EC7D-DD09-4E4D-9E0F-C95512F57B80} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 564 -s 3016

Network

Country Destination Domain Proto
US 8.8.8.8:53 archive.torproject.org udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/3024-0-0x0000000000090000-0x00000000000B4000-memory.dmp

memory/3024-1-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

memory/3024-2-0x000000001B290000-0x000000001B310000-memory.dmp

memory/3024-5-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

memory/2668-10-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

memory/2668-9-0x0000000000FA0000-0x0000000000FC4000-memory.dmp

memory/2668-11-0x000000001ADA0000-0x000000001AE20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4203.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar4263.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01d7f10e8b0db78e4255dd5ebdd2fbef
SHA1 813380d6364095c424cc79e0494b94a53085c921
SHA256 e4a2c38bcf2c23d5795c65ca42ae0c140274c37f6516180af2f7ecff91c32788
SHA512 91eb4b7e212da566b0d79293ebdfb9307412ebc7063db13924eb81beb3f89909805e9a552df8340ccfc02c6a9bd290c2cd84d3e4b8e524c0a08b580d44b76691

memory/2668-86-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

memory/2668-87-0x000000001ADA0000-0x000000001AE20000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

memory/564-89-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

C:\Users\Admin\AppData\Local\84tnjh4449\port.dat

MD5 7c0f63c15f8749d716ba1ac9121cc1a8
SHA1 e9685cf33b27028baae03480e332e453ace2abfb
SHA256 df33710fdefd14a5117159cb74c10e74d0f403d355a2f29a2a74d17499fbb60f
SHA512 c615875186d4d6c82f4f794b93dc5d6d453dd1541f70d52da7fb2ebb320f43988b6053cd3b982b82c96235b965d5118ba85008a0cd6f5e4d56c31c1a242f40e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 570c5df11682880a2d89ea35fe4c8a55
SHA1 1a8db316900c69a43adc208b57ebcc6ba5d7b9e1
SHA256 6d1261caf8b0abb94c80c8169af4cb7021843f397cb3fc226f3097ce990e2c75
SHA512 4998a8cb57552153b02d25c25e7a84cc9589a9fa55c9b07da8140858eb2c09daac4e585930f5e5fa1afe28ac2cbe490f3ab8f7cde398ceaa8f9684285be34146

C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt

MD5 1d2c0986ba3c3af924ad4b8776a45190
SHA1 e4199810598c592fb4304eb37cf90d2ce2065a11
SHA256 8f8cc850ea7e227ba100ad943c4c9000857e39d66a0aa6a245f599e6868d04c2
SHA512 275f4de2999bc947be2a179aab2ed6e33d7591d3464d3ba43d3ca1b6fc0ada3aae2090f39dc3620bfcfa57824e26aba7b401145137f87115bbd4c3589a291524

memory/564-111-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

memory/564-112-0x000000001B1C0000-0x000000001B240000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-08 09:46

Reported

2023-09-08 09:49

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 1956 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 4396 wrote to memory of 4980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4396 wrote to memory of 4980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4396 wrote to memory of 4824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4396 wrote to memory of 4824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4396 wrote to memory of 220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4396 wrote to memory of 220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4396 wrote to memory of 4540 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 4396 wrote to memory of 4540 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 4540 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\System32\tar.exe
PID 4540 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\System32\tar.exe
PID 4540 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
PID 4540 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp977D.tmp" -C "C:\Users\Admin\AppData\Local\84tnjh4449"

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

"C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
DE 185.220.101.206:443 tcp
N/A 127.0.0.1:55921 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
DE 193.108.117.103:9001 tcp
FR 162.19.247.215:9001 tcp
DE 93.180.157.154:9001 tcp
US 8.8.8.8:53 206.101.220.185.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.117.108.193.in-addr.arpa udp
US 8.8.8.8:53 215.247.19.162.in-addr.arpa udp
US 8.8.8.8:53 154.157.180.93.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/1956-0-0x000002AD94C50000-0x000002AD94C74000-memory.dmp

memory/1956-3-0x00007FF94F480000-0x00007FF94FF41000-memory.dmp

memory/1956-4-0x000002ADAF4F0000-0x000002ADAF500000-memory.dmp

memory/1956-6-0x00007FF94F480000-0x00007FF94FF41000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\369204590CE91E77109E21A298753522.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/4540-11-0x00007FF94F2E0000-0x00007FF94FDA1000-memory.dmp

memory/4540-12-0x000001EFBB700000-0x000001EFBB710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp977D.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt

MD5 ee924916761b5561cd22cddaaffc7a2f
SHA1 e3b030c6f2bafcfbf20b41bfc555226fa834de0e
SHA256 0f95b0b00ed6da0eae8c4ae58da42885cf91e43de92972be21849e0a95deec05
SHA512 769e721e509f820549f9b612b45d7ef6403d6ce8ea9dedbf3ccb9b9bca98d5044fe28ed304ec112c92bd022f6297824d0a94dbd07dafa7f85664433df80c1164

C:\Users\Admin\AppData\Local\84tnjh4449\host\hostname

MD5 1a0ee30da0718953acf3a26241c792ab
SHA1 09cac0adddbe73ba206f5078574af74d787c5196
SHA256 b362acf34d3856e0dd5015e400b201bee9be2adeaeb7bcb9870f067f65bf5490
SHA512 dc2ba0355c1d0e63de9a21f5be3cf16c2c17d47a5e30ecf5e1f18b7427bc5d7c0e2f24cacd4dc471f770fa2c4368f763a6c429886e551a64f05ec9546e2cf8c1

C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdesc-consensus.tmp

MD5 a16fb07bbf99c6183f970b4035eb661e
SHA1 8f62ae7875b0473da5b32feff18f468ce6912ef1
SHA256 f364c978e02cd9edc1e0c5728887a1b58c7382bb1a489a571eedcb09dd8c7b0a
SHA512 a81bea0d5ce95fced2089953d9b6e7d99ed5d46885549a5210ad12a6251d8ae4ae00072c246239cacb6cf10b238d71999cb98f3dbd301ab6b6184f737e0e3cbb

memory/4540-49-0x00007FF94F2E0000-0x00007FF94FDA1000-memory.dmp

C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdescs.new

MD5 c228bd9378e3a5b3271c144a22a02c26
SHA1 93786b37a9955aef506f69b3685193ba859ecf2a
SHA256 2d031afe93888e0afbc17cdafd6fbf35435f54b28cdf5a5902c0bd3317018328
SHA512 2f70cec015b91eafaf2d485f438d83f17cf09ddb66698cfc2db15abd2548a10621bf65ee9c8a4eae7f4a5680bc66650ca703d20e3beacf76f37eee6499d0966f

memory/4540-56-0x000001EFBB700000-0x000001EFBB710000-memory.dmp

memory/4376-84-0x000001A7C5940000-0x000001A7C5950000-memory.dmp

memory/4376-100-0x000001A7C5A40000-0x000001A7C5A50000-memory.dmp

memory/4376-116-0x000001A7CDFF0000-0x000001A7CDFF1000-memory.dmp

memory/4376-117-0x000001A7CF010000-0x000001A7CF011000-memory.dmp

memory/4376-118-0x000001A7CF010000-0x000001A7CF011000-memory.dmp

memory/4376-119-0x000001A7CF010000-0x000001A7CF011000-memory.dmp

memory/4376-120-0x000001A7CF010000-0x000001A7CF011000-memory.dmp

memory/4376-121-0x000001A7CF010000-0x000001A7CF011000-memory.dmp

memory/4376-122-0x000001A7CF010000-0x000001A7CF011000-memory.dmp

memory/4376-123-0x000001A7CF010000-0x000001A7CF011000-memory.dmp

memory/4376-124-0x000001A7CF010000-0x000001A7CF011000-memory.dmp

memory/4376-125-0x000001A7CF010000-0x000001A7CF011000-memory.dmp

memory/4376-126-0x000001A7CF010000-0x000001A7CF011000-memory.dmp

memory/4376-127-0x000001A7CDC40000-0x000001A7CDC41000-memory.dmp

memory/4376-128-0x000001A7CDC30000-0x000001A7CDC31000-memory.dmp

memory/4376-130-0x000001A7CDC40000-0x000001A7CDC41000-memory.dmp

memory/4376-133-0x000001A7CDC30000-0x000001A7CDC31000-memory.dmp

memory/4376-136-0x000001A7CDB70000-0x000001A7CDB71000-memory.dmp

memory/4376-148-0x000001A7CDD70000-0x000001A7CDD71000-memory.dmp

memory/4376-150-0x000001A7CDD80000-0x000001A7CDD81000-memory.dmp

memory/4376-151-0x000001A7CDD80000-0x000001A7CDD81000-memory.dmp

memory/4376-152-0x000001A7CDE90000-0x000001A7CDE91000-memory.dmp