Malware Analysis Report

2024-10-19 06:43

Sample ID 230913-tzjd2agb64
Target B9a5797cb584014f3fede.exe
SHA256 44eca198c64197c511441f644895afd6a2777c28bcb6a376d4d4623b030ced31
Tags
gurcu collection spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44eca198c64197c511441f644895afd6a2777c28bcb6a376d4d4623b030ced31

Threat Level: Known bad

The file B9a5797cb584014f3fede.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer discovery

Gurcu family

Gurcu, WhiteSnake

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Drops file in System32 directory

Program crash

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Uses Task Scheduler COM API

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-13 16:29

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 16:29

Reported

2023-09-13 16:33

Platform

win7-20230831-en

Max time kernel

118s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe C:\Windows\System32\cmd.exe
PID 1628 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe C:\Windows\System32\cmd.exe
PID 1628 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe C:\Windows\System32\cmd.exe
PID 2640 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2640 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2640 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2640 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2640 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2640 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2640 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
PID 2640 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
PID 2640 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
PID 1472 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe C:\Windows\system32\WerFault.exe
PID 1472 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe C:\Windows\system32\WerFault.exe
PID 1472 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe C:\Windows\system32\WerFault.exe
PID 2236 wrote to memory of 2264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
PID 2236 wrote to memory of 2264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
PID 2236 wrote to memory of 2264 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
PID 2264 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe C:\Windows\system32\WerFault.exe
PID 2264 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe C:\Windows\system32\WerFault.exe
PID 2264 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe

"C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "B9a5797cb584014f3fede" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "B9a5797cb584014f3fede" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

"C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1472 -s 1132

C:\Windows\system32\taskeng.exe

taskeng.exe {F5CDC913-BE30-42BB-A222-707239B5C381} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2264 -s 3192

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 blockchain.com udp
NL 142.250.179.142:80 google.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 8.8.8.8:53 pornhub.com udp
NL 142.250.179.142:80 google.com tcp
US 66.254.114.41:80 pornhub.com tcp
US 66.254.114.41:80 pornhub.com tcp
US 8.8.8.8:53 eset.com udp
SK 91.228.166.47:80 eset.com tcp
US 66.254.114.41:443 pornhub.com tcp
US 66.254.114.41:443 pornhub.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 archive.torproject.org udp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 www.eset.com udp
NL 216.58.214.14:80 youtube.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 2.18.121.147:443 www.eset.com tcp
US 8.8.8.8:53 www.pornhub.com udp
US 8.8.8.8:53 www.pornhub.com udp
NL 142.250.179.142:80 google.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.136:80 apps.identrust.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 154.61.71.13:80 tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 142.250.179.142:80 google.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 142.250.179.142:80 google.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 154.61.71.13:80 tcp
NL 154.61.71.13:80 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 ip-api.com udp
NL 154.61.71.13:80 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 youtube.com udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 66.254.114.41:80 www.pornhub.com tcp
US 66.254.114.41:80 www.pornhub.com tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:80 youtube.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
NL 154.61.71.13:80 tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 142.250.179.142:80 google.com tcp
NL 154.61.71.13:80 tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 142.250.179.142:80 google.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 142.250.179.142:80 google.com tcp
SK 91.228.166.47:80 eset.com tcp
US 8.8.8.8:53 www.eset.com udp
US 208.95.112.1:80 ip-api.com tcp
US 152.195.19.97:443 www.eset.com tcp

Files

memory/1628-0-0x0000000000120000-0x00000000001AA000-memory.dmp

memory/1628-1-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

memory/1628-2-0x0000000000350000-0x00000000003D0000-memory.dmp

memory/1628-5-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

MD5 862e7aeb18ba5892f51b5712a213a614
SHA1 99d86e4247f52c3ea9b2bb476af66dfc7707fa8d
SHA256 44eca198c64197c511441f644895afd6a2777c28bcb6a376d4d4623b030ced31
SHA512 678fc8fb5dc887f41db90e6341229ce35c830ffac4cbb91ea669ab5e8bc849bae05c15909ae62e4dfd3a249bb2ff062eaa0e256989fe203863db0396c60ec713

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

MD5 862e7aeb18ba5892f51b5712a213a614
SHA1 99d86e4247f52c3ea9b2bb476af66dfc7707fa8d
SHA256 44eca198c64197c511441f644895afd6a2777c28bcb6a376d4d4623b030ced31
SHA512 678fc8fb5dc887f41db90e6341229ce35c830ffac4cbb91ea669ab5e8bc849bae05c15909ae62e4dfd3a249bb2ff062eaa0e256989fe203863db0396c60ec713

memory/1472-9-0x0000000000BB0000-0x0000000000C3A000-memory.dmp

memory/1472-10-0x000007FEF4BB0000-0x000007FEF559C000-memory.dmp

memory/1472-11-0x000000001B460000-0x000000001B4E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab55A2.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar55E3.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/1472-81-0x000007FEF4BB0000-0x000007FEF559C000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

MD5 862e7aeb18ba5892f51b5712a213a614
SHA1 99d86e4247f52c3ea9b2bb476af66dfc7707fa8d
SHA256 44eca198c64197c511441f644895afd6a2777c28bcb6a376d4d4623b030ced31
SHA512 678fc8fb5dc887f41db90e6341229ce35c830ffac4cbb91ea669ab5e8bc849bae05c15909ae62e4dfd3a249bb2ff062eaa0e256989fe203863db0396c60ec713

memory/2264-83-0x000007FEF4BB0000-0x000007FEF559C000-memory.dmp

C:\Users\Admin\AppData\Local\gzrj1xdnai\port.dat

MD5 8a0cd50ecce34cfd150d3d512ccf42cf
SHA1 dd44a7e0c789baf2c33278b65a8d82359863658c
SHA256 b8efa9f64b3e6e239999946db7be898ddf0b428b568eddb804447bfa39dd4568
SHA512 5ce3ca00ae8b2130cf0a02c1c6dce4747d8ad21eabd7afeaa5098e2bfee5a9776f41d347fceb89b70400061d8dd9e76fa6b3407455ebde0632e933d4564d43b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 903dd579a3c16a31e65b7f7fff7300fa
SHA1 08a3c2408a2d0591555771b1c31bd235226bce76
SHA256 505b16985dc84971eaba917db8f9406b8f23d051a7415f6a900a4c2b4952ca18
SHA512 74e341696693481fb84be0a079a974f03af7c6d38dbe4e2bff92787f1248e279148c6d954fe04efdf8dfe991b00f3b722ba09b88d8e69e5833eacc5a8faced6d

memory/2264-110-0x000007FEF4BB0000-0x000007FEF559C000-memory.dmp

memory/2264-111-0x000000001B4A0000-0x000000001B520000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-13 16:29

Reported

2023-09-13 16:33

Platform

win10v2004-20230831-en

Max time kernel

64s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F4EA2D31-687C-4ECA-9A36-98F39FF9EEF0}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4820 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe C:\Windows\System32\cmd.exe
PID 4820 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe C:\Windows\System32\cmd.exe
PID 4076 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4076 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4076 wrote to memory of 2252 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4076 wrote to memory of 2252 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4076 wrote to memory of 3596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4076 wrote to memory of 3596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4076 wrote to memory of 4428 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
PID 4076 wrote to memory of 4428 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe
PID 4428 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe C:\Windows\System32\tar.exe
PID 4428 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe C:\Windows\System32\tar.exe
PID 4428 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe
PID 4428 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe

"C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "B9a5797cb584014f3fede" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\B9a5797cb584014f3fede.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "B9a5797cb584014f3fede" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

"C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp" -C "C:\Users\Admin\AppData\Local\gzrj1xdnai"

C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe

"C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 blockchain.com udp
US 66.254.114.41:80 pornhub.com tcp
US 66.254.114.41:80 pornhub.com tcp
US 104.16.30.98:80 blockchain.com tcp
NL 142.250.179.142:80 google.com tcp
NL 216.58.214.14:80 youtube.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 104.16.30.98:80 blockchain.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
NL 142.250.179.142:80 google.com tcp
US 66.254.114.41:443 pornhub.com tcp
US 66.254.114.41:443 pornhub.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
NL 154.61.71.13:80 tcp
NL 154.61.71.13:80 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 98.30.16.104.in-addr.arpa udp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 140.82.112.4:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.112.4:443 github.com tcp
US 66.254.114.41:80 www.pornhub.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 4.112.82.140.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 140.82.112.4:80 github.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 8.8.8.8:53 www.eset.com udp
US 2.18.121.146:443 www.eset.com tcp
US 140.82.112.4:443 github.com tcp
US 2.18.121.146:443 www.eset.com tcp
NL 154.61.71.13:80 tcp
NL 154.61.71.13:80 tcp
US 8.8.8.8:53 47.166.228.91.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 146.121.18.2.in-addr.arpa udp
SK 91.228.166.47:80 eset.com tcp
US 2.18.121.146:443 www.eset.com tcp
NL 154.61.71.13:80 tcp
US 140.82.112.4:80 github.com tcp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 transfer.sh udp
NL 149.154.167.99:80 telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.99:443 telegram.org tcp
US 199.249.230.168:443 tcp
US 140.82.112.4:443 github.com tcp
N/A 127.0.0.1:63641 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 168.230.249.199.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 66.254.114.41:80 www.pornhub.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 154.61.71.13:80 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
SE 79.141.174.124:9001 tcp
US 64.52.108.69:443 tcp
CH 85.195.253.142:9005 tcp
US 8.8.8.8:53 142.253.195.85.in-addr.arpa udp
US 8.8.8.8:53 124.174.141.79.in-addr.arpa udp
US 8.8.8.8:53 69.108.52.64.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 140.82.112.4:80 github.com tcp
US 140.82.112.4:443 github.com tcp
US 140.82.112.4:80 github.com tcp
US 140.82.112.4:443 github.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 140.82.112.4:80 github.com tcp
US 140.82.112.4:443 github.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 140.82.112.4:80 github.com tcp
NL 149.154.167.99:80 telegram.org tcp
US 140.82.112.4:443 github.com tcp
NL 154.61.71.13:80 tcp
US 140.82.112.4:80 github.com tcp
US 140.82.112.4:443 github.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
NL 154.61.71.13:80 tcp
US 140.82.112.4:80 github.com tcp
US 140.82.112.4:443 github.com tcp
US 140.82.112.4:80 github.com tcp
US 140.82.112.4:443 github.com tcp
US 8.8.8.8:53 254.209.247.8.in-addr.arpa udp
US 140.82.112.4:80 github.com tcp
US 140.82.112.4:443 github.com tcp
NL 154.61.71.13:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 140.82.112.4:80 github.com tcp
US 140.82.112.4:443 github.com tcp
US 140.82.112.4:80 github.com tcp
US 140.82.112.4:443 github.com tcp
NL 154.61.71.13:80 tcp
US 140.82.112.4:80 github.com tcp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 140.82.112.4:443 github.com tcp

Files

memory/4820-0-0x000001BCA5B70000-0x000001BCA5BFA000-memory.dmp

memory/4820-3-0x00007FFF3BE90000-0x00007FFF3C951000-memory.dmp

memory/4820-4-0x000001BCC0240000-0x000001BCC0250000-memory.dmp

memory/4820-6-0x00007FFF3BE90000-0x00007FFF3C951000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

MD5 862e7aeb18ba5892f51b5712a213a614
SHA1 99d86e4247f52c3ea9b2bb476af66dfc7707fa8d
SHA256 44eca198c64197c511441f644895afd6a2777c28bcb6a376d4d4623b030ced31
SHA512 678fc8fb5dc887f41db90e6341229ce35c830ffac4cbb91ea669ab5e8bc849bae05c15909ae62e4dfd3a249bb2ff062eaa0e256989fe203863db0396c60ec713

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

MD5 862e7aeb18ba5892f51b5712a213a614
SHA1 99d86e4247f52c3ea9b2bb476af66dfc7707fa8d
SHA256 44eca198c64197c511441f644895afd6a2777c28bcb6a376d4d4623b030ced31
SHA512 678fc8fb5dc887f41db90e6341229ce35c830ffac4cbb91ea669ab5e8bc849bae05c15909ae62e4dfd3a249bb2ff062eaa0e256989fe203863db0396c60ec713

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\B9a5797cb584014f3fede.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/4428-11-0x00007FFF3AD30000-0x00007FFF3B7F1000-memory.dmp

memory/4428-12-0x0000028CCD7D0000-0x0000028CCD7E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\gzrj1xdnai\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\gzrj1xdnai\torrc.txt

MD5 ad0f07374e1929b64c70c20cfd9244a4
SHA1 1866cbe3071bfdada6087e7541e19a99018ef8f8
SHA256 ac205f67105f6cc560ed2be7987f85416612b780494cb3d33b9a685ebf94433d
SHA512 f1110fb03a2138e1f88776c1869fcfaa1034744c25ba9324eb7aace9b6af6556347453586afd46debf8ba19e50ba4c31f7119a40cca468112f9a2c78c6c1437a

C:\Users\Admin\AppData\Local\gzrj1xdnai\host\hostname

MD5 157e51e7d35356720a1f25411e829c59
SHA1 63cd8430173d1f61e3d2fc22b009c25776bc36a5
SHA256 d35b9f1c4640f63e74732784c4cfd5881d14bbeb6d3caf34eb4c2c099235f1e7
SHA512 fe7e516a195833941fc90ec61f4fdefdfe135091e28f3daa0081c23e2231988ae09f5841d7fda36d66dcd15190fb22da938ab2c0bdffdea7b9dc5257cb171586

memory/4428-42-0x00007FFF3AD30000-0x00007FFF3B7F1000-memory.dmp

C:\Users\Admin\AppData\Local\gzrj1xdnai\data\cached-microdesc-consensus.tmp

MD5 bd62b36b142606e1413729643de9cb48
SHA1 4f4c5fb65f141a46bdc0ba272ddbd7dc13ab76a2
SHA256 ff2044265d8b66e1b0c9f8dd5fa4a9ffdf0295cc08e6805366ce1810856abda1
SHA512 1176f2adcace173689b47edde52d746c0423c5ce5674a4cb93b3ce183c0961bad71612ed016955ef1c952f8ed044ab67648c57a988b68eb73c8b553cd732a9c4

memory/4428-51-0x0000028CCD7D0000-0x0000028CCD7E0000-memory.dmp

C:\Users\Admin\AppData\Local\gzrj1xdnai\data\cached-microdescs.new

MD5 5c5df5c6aec46a7a25a228b6eafc6ebc
SHA1 e56e54573404da4b49a13093e201f46d060bb1e3
SHA256 8f424b07014c8cab7bf66e3ae7fc4ac72cbcee6ba1ba48e38535e547ee3dc301
SHA512 5257fa39cd4e7fa8774680de6748d3612cae9da8242dbb49312c6f243437cb0dd2a7802484b380e1fd84edd80a7ebdd9f92db4bf73100eed7c5644356fb99236

C:\Users\Admin\AppData\Local\Temp\wsuDC75.tmp

MD5 c01eaa0bdcd7c30a42bbb35a9acbf574
SHA1 0aee3e1b873e41d040f1991819d0027b6cc68f54
SHA256 32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512 d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 e78416815d49f6190fc5a95c765019d5
SHA1 d1889adc6eddbf08eae432218a395cca3c294183
SHA256 0c9df8ced1cbb9e492da5b4e5e21e13100940dec3719f590c7743a8c2a399837
SHA512 83580a373013d74e42c55c62b6bd9124d2fcd2b04531e257154148da840f5abf7ba0243652315ef22155579d09a9ba080f26d6b8000832cfbe5094723a0dbb2f

C:\Users\Admin\AppData\Local\Nvidia\B9a5797cb584014f3fede.exe

MD5 862e7aeb18ba5892f51b5712a213a614
SHA1 99d86e4247f52c3ea9b2bb476af66dfc7707fa8d
SHA256 44eca198c64197c511441f644895afd6a2777c28bcb6a376d4d4623b030ced31
SHA512 678fc8fb5dc887f41db90e6341229ce35c830ffac4cbb91ea669ab5e8bc849bae05c15909ae62e4dfd3a249bb2ff062eaa0e256989fe203863db0396c60ec713

memory/4204-208-0x00007FFF3AD30000-0x00007FFF3B7F1000-memory.dmp