Malware Analysis Report

2024-10-19 06:43

Sample ID 230913-ne7cgabe3w
Target Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe
SHA256 41505242cdbf259aada52b773daeec33d239e4aefd685ba9e406d2cf2f9871a4
Tags
gurcu collection spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41505242cdbf259aada52b773daeec33d239e4aefd685ba9e406d2cf2f9871a4

Threat Level: Known bad

The file Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer discovery

Gurcu family

Gurcu, WhiteSnake

Deletes itself

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks installed software on the system

Program crash

Enumerates physical storage devices

Unsigned PE

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-13 11:19

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 11:19

Reported

2023-09-13 11:22

Platform

win7-20230831-en

Max time kernel

122s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\System32\cmd.exe
PID 2312 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2312 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2312 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2312 wrote to memory of 2716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2312 wrote to memory of 2716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2312 wrote to memory of 2716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2312 wrote to memory of 2988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2312 wrote to memory of 2988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2312 wrote to memory of 2988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2312 wrote to memory of 1212 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe
PID 2312 wrote to memory of 1212 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe
PID 2312 wrote to memory of 1212 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe
PID 1212 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\system32\WerFault.exe
PID 1212 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\system32\WerFault.exe
PID 1212 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\system32\WerFault.exe
PID 548 wrote to memory of 2184 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe
PID 548 wrote to memory of 2184 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe
PID 548 wrote to memory of 2184 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe
PID 2184 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\system32\WerFault.exe
PID 2184 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\system32\WerFault.exe
PID 2184 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe

"C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Xd2c386a3a6edfe99de10f6ce6b3659c4809a" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "Xd2c386a3a6edfe99de10f6ce6b3659c4809a" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe

"C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1212 -s 2508

C:\Windows\system32\taskeng.exe

taskeng.exe {68CFDAFE-718F-4246-8740-865584944447} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe

C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2184 -s 700

Network

Country Destination Domain Proto
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 openai.com udp
SK 91.228.166.47:80 eset.com tcp
US 13.107.246.67:80 openai.com tcp
US 66.254.114.41:80 pornhub.com tcp
US 66.254.114.41:80 pornhub.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 66.254.114.41:443 pornhub.com tcp
US 66.254.114.41:443 pornhub.com tcp
US 13.107.246.67:443 openai.com tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 www.eset.com udp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.136:80 apps.identrust.com tcp
US 2.18.121.146:443 apps.identrust.com tcp
US 8.8.8.8:53 www.pornhub.com udp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
NL 154.61.71.13:80 tcp
US 8.8.8.8:53 blockchain.com udp
NL 154.61.71.13:80 tcp
US 104.16.29.98:80 blockchain.com tcp
US 104.16.29.98:80 blockchain.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
NL 142.250.179.142:80 google.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 154.61.71.13:80 tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 142.250.179.142:80 google.com tcp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
NL 216.58.214.14:80 youtube.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 66.254.114.41:80 www.pornhub.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
NL 154.61.71.13:80 tcp
US 8.8.8.8:53 github.com udp
NL 142.250.179.142:80 google.com tcp
US 140.82.112.4:80 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
NL 154.61.71.13:80 tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.112.4:443 github.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.eset.com udp
US 2.18.121.146:443 www.eset.com tcp

Files

memory/2356-0-0x00000000013A0000-0x00000000013EE000-memory.dmp

memory/2356-1-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

memory/2356-2-0x000000001B380000-0x000000001B400000-memory.dmp

memory/2356-5-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe

MD5 88cfc2ccc0575567122d1d233f9eb1c3
SHA1 4be67d0d801197f88c14d62f4495f17e89fc471f
SHA256 41505242cdbf259aada52b773daeec33d239e4aefd685ba9e406d2cf2f9871a4
SHA512 a2dd9ab7a2fe2a6d596c78394f65956f3e8973940229b305e2d763be69ff9f27b1450b5e08ca57cd0886a873fb663daad20ca94d9262a6c80a582dfc5f2e42b7

C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe

MD5 88cfc2ccc0575567122d1d233f9eb1c3
SHA1 4be67d0d801197f88c14d62f4495f17e89fc471f
SHA256 41505242cdbf259aada52b773daeec33d239e4aefd685ba9e406d2cf2f9871a4
SHA512 a2dd9ab7a2fe2a6d596c78394f65956f3e8973940229b305e2d763be69ff9f27b1450b5e08ca57cd0886a873fb663daad20ca94d9262a6c80a582dfc5f2e42b7

memory/1212-9-0x0000000000010000-0x000000000005E000-memory.dmp

memory/1212-11-0x000000001B010000-0x000000001B090000-memory.dmp

memory/1212-10-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4D29.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar4D3C.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/1212-88-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

memory/1212-89-0x000000001B010000-0x000000001B090000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe

MD5 88cfc2ccc0575567122d1d233f9eb1c3
SHA1 4be67d0d801197f88c14d62f4495f17e89fc471f
SHA256 41505242cdbf259aada52b773daeec33d239e4aefd685ba9e406d2cf2f9871a4
SHA512 a2dd9ab7a2fe2a6d596c78394f65956f3e8973940229b305e2d763be69ff9f27b1450b5e08ca57cd0886a873fb663daad20ca94d9262a6c80a582dfc5f2e42b7

memory/2184-91-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

C:\Users\Admin\AppData\Local\xdh16uwiax\port.dat

MD5 4b7a55505729b7f664e7222960e9c2d5
SHA1 87920921c770b54d62fd553645a7fc579e1a9a7f
SHA256 cdd17cd0ba8b0ae28b6674eb62f8a5a3f0c311aac2b73b82f1eebaaf57cc1179
SHA512 60b98cc52594c056367b8d11285d882d2547590652572cd7fa81de218fc7aca77f49ce908e4d4820df1f794db122860c4dbcca0736fbb1d0431e9900bd7b584c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 628d43fa35b8fbed1c5e59bc4d4dda79
SHA1 d144cf07bb653a04fecc5bddbc8a91a925e80bac
SHA256 cd21e2e25989bbeca8f90db89b4889cce58cd45ffa9577325632a1b6a00e080c
SHA512 61436fcf74352434dabbffd844627fbaf3036f6d6e4ccf4dc5b274bdfd66b7495d46b2cdb9bcf5fc4aef5593ca29bc74bb50645be15e52c3bf019ba5a86517ef

memory/2184-111-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

memory/2184-112-0x000000001B050000-0x000000001B0D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-13 11:19

Reported

2023-09-13 11:22

Platform

win10v2004-20230831-en

Max time kernel

154s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\System32\cmd.exe
PID 764 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\System32\cmd.exe
PID 4344 wrote to memory of 2176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4344 wrote to memory of 2176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4344 wrote to memory of 3964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4344 wrote to memory of 3964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4344 wrote to memory of 1640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4344 wrote to memory of 1640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4344 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe
PID 4344 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe
PID 1132 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\System32\tar.exe
PID 1132 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Windows\System32\tar.exe
PID 1132 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Users\Admin\AppData\Local\xdh16uwiax\tor\tor.exe
PID 1132 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe C:\Users\Admin\AppData\Local\xdh16uwiax\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe

"C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Xd2c386a3a6edfe99de10f6ce6b3659c4809a" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "Xd2c386a3a6edfe99de10f6ce6b3659c4809a" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe

"C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpBC1C.tmp" -C "C:\Users\Admin\AppData\Local\xdh16uwiax"

C:\Users\Admin\AppData\Local\xdh16uwiax\tor\tor.exe

"C:\Users\Admin\AppData\Local\xdh16uwiax\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xdh16uwiax\torrc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.34.232.68.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 youtube.com udp
US 66.254.114.41:80 pornhub.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 archive.torproject.org udp
NL 216.58.214.14:80 youtube.com tcp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 eset.com udp
US 66.254.114.41:443 pornhub.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.29.98:80 blockchain.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.29.98:443 www.blockchain.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 www.eset.com udp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.29.16.104.in-addr.arpa udp
US 8.8.8.8:53 47.166.228.91.in-addr.arpa udp
US 2.18.121.147:443 www.eset.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
US 140.82.113.4:80 github.com tcp
NL 154.61.71.13:80 tcp
US 140.82.113.4:443 github.com tcp
NL 142.250.179.142:80 google.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 147.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.113.82.140.in-addr.arpa udp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
NL 154.61.71.13:80 tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 199.249.230.168:443 tcp
N/A 127.0.0.1:57135 tcp
US 8.8.8.8:53 transfer.sh udp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.99:443 telegram.org tcp
US 66.254.114.41:80 www.pornhub.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 168.230.249.199.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
NL 154.61.71.13:80 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
DE 194.104.148.94:443 tcp
DE 51.89.106.29:9001 tcp
DE 144.24.181.175:443 tcp
US 8.8.8.8:53 94.148.104.194.in-addr.arpa udp
US 8.8.8.8:53 29.106.89.51.in-addr.arpa udp
US 8.8.8.8:53 175.181.24.144.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
NL 154.61.71.13:80 tcp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:443 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:443 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
NL 154.61.71.13:80 tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.113.4:80 github.com tcp
NL 154.61.71.13:80 tcp
US 140.82.113.4:443 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:80 github.com tcp
NL 154.61.71.13:80 tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:443 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 52.111.227.11:443 tcp
US 140.82.113.4:80 github.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.112.3:443 github.com tcp
US 8.8.8.8:53 3.112.82.140.in-addr.arpa udp
US 140.82.113.4:80 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 140.82.112.3:443 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.113.4:80 github.com tcp
NL 154.61.71.13:80 tcp
US 140.82.112.3:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.112.3:443 github.com tcp
NL 154.61.71.13:80 tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
NL 154.61.71.13:80 tcp
US 140.82.112.3:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 140.82.112.3:443 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.112.3:443 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:80 github.com tcp
US 8.8.8.8:53 github.com udp
NL 154.61.71.13:80 tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:443 github.com tcp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp
US 140.82.113.4:80 github.com tcp
NL 154.61.71.13:80 tcp
US 140.82.112.3:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.112.3:443 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.113.4:80 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.113.4:80 tcp
US 140.82.113.4:80 tcp

Files

memory/764-0-0x0000017C500F0000-0x0000017C5013E000-memory.dmp

memory/764-1-0x00007FFE6D480000-0x00007FFE6DF41000-memory.dmp

memory/764-2-0x0000017C50590000-0x0000017C505A0000-memory.dmp

memory/764-6-0x00007FFE6D480000-0x00007FFE6DF41000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe

MD5 88cfc2ccc0575567122d1d233f9eb1c3
SHA1 4be67d0d801197f88c14d62f4495f17e89fc471f
SHA256 41505242cdbf259aada52b773daeec33d239e4aefd685ba9e406d2cf2f9871a4
SHA512 a2dd9ab7a2fe2a6d596c78394f65956f3e8973940229b305e2d763be69ff9f27b1450b5e08ca57cd0886a873fb663daad20ca94d9262a6c80a582dfc5f2e42b7

C:\Users\Admin\AppData\Local\Nvidia\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe

MD5 88cfc2ccc0575567122d1d233f9eb1c3
SHA1 4be67d0d801197f88c14d62f4495f17e89fc471f
SHA256 41505242cdbf259aada52b773daeec33d239e4aefd685ba9e406d2cf2f9871a4
SHA512 a2dd9ab7a2fe2a6d596c78394f65956f3e8973940229b305e2d763be69ff9f27b1450b5e08ca57cd0886a873fb663daad20ca94d9262a6c80a582dfc5f2e42b7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xd2c386a3a6edfe99de10f6ce6b3659c4809a.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/1132-11-0x00007FFE6C350000-0x00007FFE6CE11000-memory.dmp

memory/1132-12-0x000001BCBEBF0000-0x000001BCBEC00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBC1C.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\xdh16uwiax\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\xdh16uwiax\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\xdh16uwiax\torrc.txt

MD5 76981b42daf271f573b269a33d014c15
SHA1 0f97248f72eac235837ac81e3f6676b1265e8585
SHA256 86fc9b9707c85b9ea87cde1253d2d503f6fca10a081c3046e23ad616ec1daff5
SHA512 255c0d4929ca423e21173e07ad02dbb5ed5fe505e0fcc42b0e3c4e151b60a1de0e2953af3036029aee6bc8279073f9dd6f7012cbf3f52155eb6e60025032c30c

C:\Users\Admin\AppData\Local\xdh16uwiax\host\hostname

MD5 4c442b3b7dd3e51ca0ed85002cf220b3
SHA1 8d224e007344e26ff474a43081fb717e46f35c91
SHA256 f06e829548d0160a93ba5909f9764a3b52073dc3048548dbffff1f0043406459
SHA512 a8bf269ae7adff401bf0b7e3adb7ff73539a789a07e823b476825b642947d6f98b62159d6f3ed2a2a30ebcfefe3aba5f272ef1515da8d8caf2ecca8043a614de

memory/1132-42-0x00007FFE6C350000-0x00007FFE6CE11000-memory.dmp

C:\Users\Admin\AppData\Local\xdh16uwiax\data\cached-microdesc-consensus.tmp

MD5 0fce54e46096ee822ad8c573226cae3c
SHA1 347bf76e634675b677e9783b8b96f0b9cb511b1f
SHA256 85f2018ff17b3d4675ec2c4fccd8f3acf677ec0850c011c277d2c5e9f4fd8125
SHA512 cbe08200803c4c8d4137512c6b9c6421a7d1923fff1c2e7a5c2385e14ec8f70b298e6a1acf8b6ba492e57ee4f89315155269329686e598c5996a8d1bf9f306a5

memory/1132-51-0x000001BCBEBF0000-0x000001BCBEC00000-memory.dmp

C:\Users\Admin\AppData\Local\xdh16uwiax\data\cached-microdescs.new

MD5 aa3ac70770a8a3628f9a274bbab99394
SHA1 c25f8beb8f94b69622a8a4ec90b2d004d00bbafd
SHA256 955ac29976c569ae994e8c814a530480468fd7361b237326b36db51c16b7f69c
SHA512 53688c7d1fdff1050535516ef4ea28f06a83573a0551d1a716da291d4f08e8982e03cebac1b45283cde0d2c448f90d60dd18bbdcff0b167fe070cbcea320cd44

C:\Users\Admin\AppData\Local\xdh16uwiax\data\cached-microdescs.new

MD5 7c132c0e678ea071333039cf88e5a7d9
SHA1 5da5e2364549f0fa0e060d3d748e2f9206ca19d8
SHA256 4974624cf806b7e9e7531e0105543878c909a3c849276565bce2926737d3e447
SHA512 8abb2d9a6d6ec3b6e5b7f9e24aba750d3bdfaeb3fb8ec7b01b6fbcee5534607b166e980634a7c2d437bfa6dd04f572780de68c5d6672700b14e2e62818f1115a