Malware Analysis Report

2024-10-19 06:43

Sample ID 230908-lrl6ysad41
Target 369204590CE91E77109E21A298753522.exe
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
Tags
gurcu collection spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

Threat Level: Known bad

The file 369204590CE91E77109E21A298753522.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer discovery

Gurcu, WhiteSnake

Gurcu family

Detect Gurcu Stealer V3 payload

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Checks installed software on the system

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Runs ping.exe

outlook_win_path

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-08 09:46

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-08 09:46

Reported

2023-09-08 09:48

Platform

win7-20230831-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 1692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 1692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 2660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2588 wrote to memory of 2660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2588 wrote to memory of 2660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2588 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2588 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2588 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2588 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2588 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2588 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2588 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2588 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2588 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2608 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2608 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2608 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 824 wrote to memory of 2020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 824 wrote to memory of 2020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 824 wrote to memory of 2020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2020 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2020 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2020 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2608 -s 3116

C:\Windows\system32\taskeng.exe

taskeng.exe {14D71E3C-0CE5-4569-9B58-7D7DE380F8AE} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2020 -s 2884

Network

Country Destination Domain Proto
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/1692-0-0x0000000000170000-0x0000000000194000-memory.dmp

memory/1692-1-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

memory/1692-2-0x000000001B0E0000-0x000000001B160000-memory.dmp

memory/1692-5-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

memory/2608-9-0x0000000000940000-0x0000000000964000-memory.dmp

memory/2608-10-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

memory/2608-11-0x000000001B160000-0x000000001B1E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab849E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar84DF.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c41edc6b0b9217b04eb6d2d5ea3fa10
SHA1 336eeb06a8abdf283b2e3b53464d191ac9940bff
SHA256 72f848da2c4b38ba8d453e89a8b346452e6c71714c646ba6466078d3a36589de
SHA512 7041510c4eb7d8e686851fbbee5a06b4e447e32e5476517e8c566723c20a627c4ff16f2b1d69eb494e91213649eb3da22a9f2521553c893c2debc7cbef311e6b

memory/2608-76-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

memory/2608-77-0x000000001B160000-0x000000001B1E0000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

memory/2020-79-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

memory/2020-80-0x000000001B4A0000-0x000000001B520000-memory.dmp

C:\Users\Admin\AppData\Local\84tnjh4449\port.dat

MD5 7695ea769f021803c508817dd374bb27
SHA1 33c27df10ca3bacf99aec5e5db8e769963e41fdd
SHA256 9d0f9740bf708828641fecffa4c14fa25d195953b513e82203fd62533512d55d
SHA512 4f933afd509b9a374275022830b9f7cefa58ae8a87e9df793afab0ee0f99f8deb3348c74c053573b071098682fe0beb6eda56f5a2d8a1f879f3a555f3fc51bff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0988741a70d5aed8bfc8233b892d2205
SHA1 cef3fab8d6c9d7a4b5dfe73eaefce77667544b66
SHA256 e77c3f3681bcb76094a0cfe70700ad9c58e0bb6f4ca3804dd495e29740896164
SHA512 6e9577a29907850a5e91fa93d7d882593dcd1c26025e975273add071741862a71b02f1ec3d6b89f60008d578b021c75a2fbfa2a055835ec819e18061e0d489ff

C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt

MD5 1d2c0986ba3c3af924ad4b8776a45190
SHA1 e4199810598c592fb4304eb37cf90d2ce2065a11
SHA256 8f8cc850ea7e227ba100ad943c4c9000857e39d66a0aa6a245f599e6868d04c2
SHA512 275f4de2999bc947be2a179aab2ed6e33d7591d3464d3ba43d3ca1b6fc0ada3aae2090f39dc3620bfcfa57824e26aba7b401145137f87115bbd4c3589a291524

memory/2020-102-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-08 09:46

Reported

2023-09-08 09:48

Platform

win10v2004-20230831-en

Max time kernel

128s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 2004 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 1048 wrote to memory of 3440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1048 wrote to memory of 3440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1048 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1048 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1048 wrote to memory of 232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1048 wrote to memory of 232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1048 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 1048 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 3452 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\System32\tar.exe
PID 3452 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\System32\tar.exe
PID 3452 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
PID 3452 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpB1FA.tmp" -C "C:\Users\Admin\AppData\Local\84tnjh4449"

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

"C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 ip-api.com udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
DE 138.201.250.33:9011 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 33.250.201.138.in-addr.arpa udp
AT 140.78.100.22:5443 tcp
N/A 127.0.0.1:50044 tcp
DE 178.254.20.159:443 tcp
FR 146.59.156.21:9001 tcp
DE 217.79.179.177:9001 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 22.100.78.140.in-addr.arpa udp
US 8.8.8.8:53 159.20.254.178.in-addr.arpa udp
US 8.8.8.8:53 21.156.59.146.in-addr.arpa udp
US 8.8.8.8:53 177.179.79.217.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/2004-0-0x000002379E9B0000-0x000002379E9D4000-memory.dmp

memory/2004-4-0x00000237B8FE0000-0x00000237B8FF0000-memory.dmp

memory/2004-3-0x00007FFDAF6D0000-0x00007FFDB0191000-memory.dmp

memory/2004-6-0x00007FFDAF6D0000-0x00007FFDB0191000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\369204590CE91E77109E21A298753522.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/3452-11-0x00007FFDAEB40000-0x00007FFDAF601000-memory.dmp

memory/3452-12-0x00000253D4420000-0x00000253D4430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB1FA.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt

MD5 0a19f7d35d052f6b0b06e1bfc4bd43f5
SHA1 f76cd369e24fd2faabeffcc3a05e19e961f4d07e
SHA256 da69ff6a1173f0052924f0fdb3a81cadb2e48eb77778560a190126bcf016c9a2
SHA512 51dc40829ee030ef118103b24b42bd8717bf7a8018a18e5aa448084ad6d9e5f5cafef217adfa22bf9d04aa01d5c13fb26a37d6206b351b998b96bc97de2fdd96

C:\Users\Admin\AppData\Local\84tnjh4449\host\hostname

MD5 7514b7a3b8eac38d6c4664103dc875d5
SHA1 94859dfa1e01440f90baec88ddde2ebde5ce63d4
SHA256 e469456cc411cb2a844d469824f4a91a0f8730b98b8f458bb5ae559bd78679a8
SHA512 780dab12c973d9445aa6e5d3e2315ef72ced9f98fa5b89517b72a82d575d5b6f15005e3a318b91f11ff09dffc098c8003b56c7866a19cfbda05760d0e7f0a78c

C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdesc-consensus.tmp

MD5 a16fb07bbf99c6183f970b4035eb661e
SHA1 8f62ae7875b0473da5b32feff18f468ce6912ef1
SHA256 f364c978e02cd9edc1e0c5728887a1b58c7382bb1a489a571eedcb09dd8c7b0a
SHA512 a81bea0d5ce95fced2089953d9b6e7d99ed5d46885549a5210ad12a6251d8ae4ae00072c246239cacb6cf10b238d71999cb98f3dbd301ab6b6184f737e0e3cbb

C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-certs

MD5 8a61a80582aa209b5a2bee3b430692ac
SHA1 9ade239d05bc8d510aafcdeb57618eec0cc61495
SHA256 59fdb65c676d64e7b2343fb337e9216f2fa7674a16df831c4c327840f8380f8e
SHA512 1afed0a7609d33bf0f8873d179f71424e377d6cca21e081fe596c684c6ba6040024a78210b69f7751ac28b2efbb33c819c89969f3cb02218111c6d4b81bd437b

C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdescs.new

MD5 7c8525bb7aeaad9f3a38e9d3a13dc588
SHA1 0b0cfec359e8bc32726c28c61d25e860748b85bd
SHA256 3fac37e379ccab04255da34df1d9fd47676b6a99650cba1c14824c9ae0bde25b
SHA512 f0c6eb254948567462844f670bb180ade8715f101bd6ee187826248afcbbad5a4596adf92570866b20496f49a0612655d6181f08ed85830fd484301dbafd0a2c

memory/3452-59-0x00007FFDAEB40000-0x00007FFDAF601000-memory.dmp

memory/3452-69-0x00000253D4420000-0x00000253D4430000-memory.dmp