Malware Analysis Report

2024-10-19 06:43

Sample ID 230908-lswf1sad6v
Target 369204590CE91E77109E21A298753522.exe
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
Tags
gurcu collection spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

Threat Level: Known bad

The file 369204590CE91E77109E21A298753522.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer discovery

Gurcu, WhiteSnake

Detect Gurcu Stealer V3 payload

Gurcu family

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Enumerates physical storage devices

Program crash

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

Uses Task Scheduler COM API

outlook_win_path

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-08 09:48

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-08 09:48

Reported

2023-09-08 09:50

Platform

win7-20230831-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 2300 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 2300 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 1376 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1376 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1376 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1376 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1376 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1376 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1376 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1376 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1376 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1376 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 1376 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 1376 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2724 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2724 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2724 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 1080 wrote to memory of 564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 1080 wrote to memory of 564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 1080 wrote to memory of 564 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 564 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 564 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 564 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2724 -s 2868

C:\Windows\system32\taskeng.exe

taskeng.exe {0516550A-1641-4A9B-82AA-D1C8A7E5B693} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 564 -s 2952

Network

Country Destination Domain Proto
US 8.8.8.8:53 archive.torproject.org udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2300-0-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

memory/2300-1-0x0000000000E50000-0x0000000000E74000-memory.dmp

memory/2300-2-0x000000001B050000-0x000000001B0D0000-memory.dmp

memory/2300-5-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

memory/2724-9-0x00000000008D0000-0x00000000008F4000-memory.dmp

memory/2724-10-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

memory/2724-11-0x000000001B330000-0x000000001B3B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD27E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarD2C0.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8c2307c84f29f371ed8369fe7a0ebd6
SHA1 44f1ff2f7f865a21d4b742a65644ac562a288f01
SHA256 4ddd066007e4f287250340425b71ac9ef4c50eb8a222a785429a7b98fd8e6fba
SHA512 104851eaf146457546f7494111d9441f0775899f147902f6379b810cc02e6fe08d077646af00dac4fd6309ac70c85b9b50da94c50589c84edfbff5e2a0871a02

memory/2724-76-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

memory/2724-77-0x000000001B330000-0x000000001B3B0000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

memory/564-79-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

memory/564-80-0x000000001B160000-0x000000001B1E0000-memory.dmp

C:\Users\Admin\AppData\Local\84tnjh4449\port.dat

MD5 baed9f51d412c2514ee46a0942138ad6
SHA1 45936e464b0f4fb92fed14504f9c50a909729e99
SHA256 07492b151560912565b471452f8baadbf3bc80c73814708053d9e4fb7e6e1401
SHA512 32e44fd6b30ffee03bbd7eab1000f2ab43defbef6b74aba10eaf0788000167883cdcd0eaf14e9fe0d52ab160d687199634ea2fe1d807399f3ac9bfe2ae62af23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f03b146b2e78605d53368549e6d94f18
SHA1 814f228b5a9880f56dabf2ba5581735aae73b691
SHA256 f84ddcac3ba57e6e3fe1cade0bd844ec3511691fab1754067a921ae92c067419
SHA512 24c02099beaf7965ed03ddca461cb2739da9cdac31ad4011aea777de5a94c6bbd925cc9cdb03435c3b77190935722647d532b83c43bdaff2d7032f0ac76ca034

C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt

MD5 1dc1f257ec74e0488f5e190eae799941
SHA1 93cdcdacd427c6154c12475d5a809495d0d55b3b
SHA256 04aa645fad7315470fc6be35f94cf06c65e592f32da763bd140d6bd36d5bc7d3
SHA512 5e092057d83adc2299e3553e43cd5191a83969bcb5ed6edf824da9c0d6097d839395119bc4ecb9041c26539e6611c9e31750c3e61f05b67b8a5bc129f6bfbb53

memory/564-102-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

memory/564-103-0x000000001B160000-0x000000001B1E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-08 09:48

Reported

2023-09-08 09:50

Platform

win10v2004-20230831-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 2692 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 1256 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1256 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1256 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1256 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1256 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1256 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1256 wrote to memory of 4760 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 1256 wrote to memory of 4760 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 4760 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\System32\tar.exe
PID 4760 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\System32\tar.exe
PID 4760 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
PID 4760 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp92DA.tmp" -C "C:\Users\Admin\AppData\Local\84tnjh4449"

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

"C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 ip-api.com udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
DE 212.83.43.93:443 tcp
N/A 127.0.0.1:51214 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 152.70.197.164:443 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
DE 185.220.101.72:9100 tcp
US 8.8.8.8:53 72.101.220.185.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/2692-0-0x0000023960CB0000-0x0000023960CD4000-memory.dmp

memory/2692-1-0x00007FFC43400000-0x00007FFC43EC1000-memory.dmp

memory/2692-2-0x000002397B2F0000-0x000002397B300000-memory.dmp

memory/2692-6-0x00007FFC43400000-0x00007FFC43EC1000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\369204590CE91E77109E21A298753522.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/4760-11-0x00007FFC425A0000-0x00007FFC43061000-memory.dmp

memory/4760-12-0x000001896F9C0000-0x000001896F9D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp92DA.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt

MD5 c1f73f5dcb831bc091d0ccf9c6e666b7
SHA1 85086a0f8fd5a17b536f0771c847716c52c9f341
SHA256 f3e1e5dde0d0df60baf11ac64f07f32dcf6c4afc24136f8a3e979ef2f351793a
SHA512 c30fa53d86026cd91793bb2d915da2851655260682abf8a86e4fc39de473a6743628bff78f740336ae2b6632b7aaf63db4fbc81af950322c014c79e14e52aa71

C:\Users\Admin\AppData\Local\84tnjh4449\host\hostname

MD5 e6d1ac60cced392a534f9a7197d9f7ef
SHA1 1b6d8898f23c5b23f4c3ad5e77932f85285b02c0
SHA256 60a800c9f86f9cee82ed86e8d9915560e491ebc77dac3061f21b074571cd222c
SHA512 bc48a711544c8836065c0f93e43dbee324d9c82faa5610dc1f0dd6d43eaf76a0e503d679269b3dae8f403c6491f907bbdc36d22f252d1774d3e477c1a672c32c

memory/4760-41-0x00007FFC425A0000-0x00007FFC43061000-memory.dmp

C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdesc-consensus.tmp

MD5 a16fb07bbf99c6183f970b4035eb661e
SHA1 8f62ae7875b0473da5b32feff18f468ce6912ef1
SHA256 f364c978e02cd9edc1e0c5728887a1b58c7382bb1a489a571eedcb09dd8c7b0a
SHA512 a81bea0d5ce95fced2089953d9b6e7d99ed5d46885549a5210ad12a6251d8ae4ae00072c246239cacb6cf10b238d71999cb98f3dbd301ab6b6184f737e0e3cbb

memory/4760-50-0x000001896F9C0000-0x000001896F9D0000-memory.dmp