Malware Analysis Report

2024-10-19 06:43

Sample ID 230914-gl9mvahh3v
Target I63f8affb2294c837814c33f5446924ba.exe
SHA256 2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93
Tags
gurcu collection spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93

Threat Level: Known bad

The file I63f8affb2294c837814c33f5446924ba.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer discovery

Detect Gurcu Stealer V3 payload

Gurcu, WhiteSnake

Gurcu family

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Checks installed software on the system

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Unsigned PE

Enumerates physical storage devices

Program crash

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Runs ping.exe

Modifies system certificate store

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 05:54

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 05:54

Reported

2023-09-14 05:57

Platform

win7-20230831-en

Max time kernel

117s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\System32\cmd.exe
PID 3016 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\System32\cmd.exe
PID 3016 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\System32\cmd.exe
PID 1664 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1664 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1664 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1664 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1664 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1664 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1664 wrote to memory of 2520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1664 wrote to memory of 2520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1664 wrote to memory of 2520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1664 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
PID 1664 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
PID 1664 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
PID 2468 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\system32\WerFault.exe
PID 2468 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\system32\WerFault.exe
PID 2468 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\system32\WerFault.exe
PID 2004 wrote to memory of 2880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
PID 2004 wrote to memory of 2880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
PID 2004 wrote to memory of 2880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
PID 2880 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\system32\WerFault.exe
PID 2880 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\system32\WerFault.exe
PID 2880 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe

"C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "I63f8affb2294c837814c33f5446924ba" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "I63f8affb2294c837814c33f5446924ba" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2468 -s 3048

C:\Windows\system32\taskeng.exe

taskeng.exe {A9280A71-3820-4FA6-AC7C-5E96F04BAEC3} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe

C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2880 -s 3108

Network

Country Destination Domain Proto
US 8.8.8.8:53 archive.torproject.org udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.146:80 apps.identrust.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/3016-0-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

memory/3016-1-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

memory/3016-2-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/3016-5-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe

MD5 dfb3936eb972928af9ec106505364786
SHA1 06a05bf8d2675ea58e44d3fdc0d9e610be021ca8
SHA256 2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93
SHA512 e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f

C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe

MD5 dfb3936eb972928af9ec106505364786
SHA1 06a05bf8d2675ea58e44d3fdc0d9e610be021ca8
SHA256 2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93
SHA512 e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f

memory/2468-9-0x0000000000030000-0x000000000004C000-memory.dmp

memory/2468-10-0x000007FEF4B10000-0x000007FEF54FC000-memory.dmp

memory/2468-11-0x000000001AB10000-0x000000001AB90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5286.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5335.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2fdf523d06d257380477ff63bd62b72c
SHA1 0051832b2902b10f053ba4cf215a5b6c361af6f2
SHA256 593a7d7306e41edd6bb2a305d1fb7450d9772561e0100bc012e938cc1cfd0b5c
SHA512 de690ea11cdf4723b2dd49a7ed9751bb63f471fdb0e4bd4f26d4d4576b5de244808ce88a72e4179c6f85154a9a6a3cd4b23bbeee2c5436872c82c73556e08a86

memory/2468-76-0x000007FEF4B10000-0x000007FEF54FC000-memory.dmp

memory/2468-77-0x000000001AB10000-0x000000001AB90000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe

MD5 dfb3936eb972928af9ec106505364786
SHA1 06a05bf8d2675ea58e44d3fdc0d9e610be021ca8
SHA256 2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93
SHA512 e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f

memory/2880-79-0x000007FEF4B10000-0x000007FEF54FC000-memory.dmp

memory/2880-80-0x0000000002210000-0x0000000002290000-memory.dmp

C:\Users\Admin\AppData\Local\jdm9hu6p1h\port.dat

MD5 e3ea33961a7c5b1ec04d6c97aa3b5379
SHA1 a51a0312093b0b280af66804ff464d5003d762aa
SHA256 ee43ec7cc83b9a0fe422f2b26a3ad983c9ca579ca7bce87d07d971642d9c50eb
SHA512 18d2570d9ac78946175cdcfb6e106677898ee6f94a9eb412a302192cdf45967ce0887c95d92e89d64af9f667c91d0c94b600675c23d0e34dac959ae5b3fb4076

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46b84581f58b334af1e48e90d9ba1e07
SHA1 74584ff0464724dd00f7d46f12bb88eed2db0472
SHA256 d4321fe9176fca54d5ee2026d8a60526b3b233aa0bfe12f80c317b70475c99b2
SHA512 a18ebfa036abd0a4468ae7956bfd2e18451fe07ac79201ebcbe7227754f95d50e419778efa6c45c8064c5c3b23c867cb58c6953ab150c890ee599ccfbb3bf507

C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt

MD5 1d2c0986ba3c3af924ad4b8776a45190
SHA1 e4199810598c592fb4304eb37cf90d2ce2065a11
SHA256 8f8cc850ea7e227ba100ad943c4c9000857e39d66a0aa6a245f599e6868d04c2
SHA512 275f4de2999bc947be2a179aab2ed6e33d7591d3464d3ba43d3ca1b6fc0ada3aae2090f39dc3620bfcfa57824e26aba7b401145137f87115bbd4c3589a291524

memory/2880-102-0x000007FEF4B10000-0x000007FEF54FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-14 05:54

Reported

2023-09-14 05:57

Platform

win10v2004-20230831-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\System32\cmd.exe
PID 3104 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\System32\cmd.exe
PID 3420 wrote to memory of 1304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3420 wrote to memory of 1304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3420 wrote to memory of 1988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3420 wrote to memory of 1988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3420 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3420 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3420 wrote to memory of 1504 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
PID 3420 wrote to memory of 1504 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
PID 1504 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\System32\tar.exe
PID 1504 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe C:\Windows\System32\tar.exe
PID 1504 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe
PID 1504 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe

"C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "I63f8affb2294c837814c33f5446924ba" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "I63f8affb2294c837814c33f5446924ba" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpFCFD.tmp" -C "C:\Users\Admin\AppData\Local\jdm9hu6p1h"

C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe

"C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 126.141.27.67.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
DE 138.201.123.109:9001 tcp
PL 37.235.48.247:7654 tcp
N/A 127.0.0.1:60642 tcp
US 8.8.8.8:53 247.48.235.37.in-addr.arpa udp
DE 172.104.152.202:8080 tcp
FR 51.210.108.248:9001 tcp
DE 178.63.19.126:9001 tcp
DE 176.9.103.240:9001 tcp
US 8.8.8.8:53 248.108.210.51.in-addr.arpa udp
US 8.8.8.8:53 126.19.63.178.in-addr.arpa udp
US 8.8.8.8:53 240.103.9.176.in-addr.arpa udp
DE 116.202.101.219:8080 116.202.101.219 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 219.101.202.116.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp
DE 172.104.152.202:8080 tcp

Files

memory/3104-0-0x0000027783A40000-0x0000027783A5C000-memory.dmp

memory/3104-1-0x00007FF8514D0000-0x00007FF851F91000-memory.dmp

memory/3104-2-0x00000277840D0000-0x00000277840E0000-memory.dmp

memory/3104-6-0x00007FF8514D0000-0x00007FF851F91000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe

MD5 dfb3936eb972928af9ec106505364786
SHA1 06a05bf8d2675ea58e44d3fdc0d9e610be021ca8
SHA256 2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93
SHA512 e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f

C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe

MD5 dfb3936eb972928af9ec106505364786
SHA1 06a05bf8d2675ea58e44d3fdc0d9e610be021ca8
SHA256 2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93
SHA512 e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\I63f8affb2294c837814c33f5446924ba.exe.log

MD5 fc1be6f3f52d5c841af91f8fc3f790cb
SHA1 ac79b4229e0a0ce378ae22fc6104748c5f234511
SHA256 6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910
SHA512 2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

memory/1504-11-0x00007FF850C00000-0x00007FF8516C1000-memory.dmp

memory/1504-12-0x000001F8B06B0000-0x000001F8B06C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFCFD.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt

MD5 45141efbaeabc9241ff81da062f50ddd
SHA1 2c73309a2ab508a83f8d3b905d125cd5d986eb3d
SHA256 de6724f5e4037654a7434ed02ccaa77c211a2ab2b2df3e0df1da9e735c9ffbaa
SHA512 720f86f62edba43abc996eb1d65c39e56219b49fa55924f7cb1c304836e53a8ea91f9d55ef6d834bd1a34f6b8576a43fd2e916d179d9e5da1d4fc5fbebb1075f

C:\Users\Admin\AppData\Local\jdm9hu6p1h\host\hostname

MD5 540adcf35dea5b5f839e1a076f288be7
SHA1 f5eb5e41d942780ef1db4373ab8950b72a3145a9
SHA256 3262bbcc065509953da2c1a65b30d045d41686f354c6f6e9b997a0748edfe8b6
SHA512 e8c232051eea2d71994cfcfaaa4607c07ea81612f77601ca0fad1e7f122a66e00c1be5c29bae9e0717f688dfbceb59b30cc92b793e49bdae8c453a438864d828

memory/1504-45-0x00007FF850C00000-0x00007FF8516C1000-memory.dmp

C:\Users\Admin\AppData\Local\jdm9hu6p1h\data\cached-microdesc-consensus.tmp

MD5 c8eab448f2d958af2f5b8b13a07b1df5
SHA1 be084aed25bc28de101f9a74fdbb1f9fc6293ec6
SHA256 89345602270280980ec8c07f08b0feb2499072f102af1a9b7b3f61b10ab0e468
SHA512 7dfb251edd5ba0167b29d9a33411e353d5e0d7104eca4a1b7621fe5e3f723d9e9e9391ac1906e582dc254693295231d6c27c678af728873c928da7a5facaac93

memory/1504-51-0x000001F8B06B0000-0x000001F8B06C0000-memory.dmp

C:\Users\Admin\AppData\Local\jdm9hu6p1h\data\cached-microdescs.new

MD5 ec369b59d6ec153b451a65fc9b12db4e
SHA1 d34881f9fde23e7dfc2666ffd1821be729fbbd4e
SHA256 f4f9a17e8f0c90864916b51621b27af90654bcac17984eeb757e978b766cacd0
SHA512 f578775f0eea2391711c8c98a891079c2396b29300a110e33ffba911d9442e4ba803a283033594b9456e6986c6dd5cd0016e40ce13435cf6730ac2088b7d72f7