Malware Analysis Report

2024-10-19 06:43

Sample ID 230914-lxrcvsbc41
Target x19a4f9f3d16fcc9779ba8ea79bf7.exe
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
Tags
gurcu collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

Threat Level: Known bad

The file x19a4f9f3d16fcc9779ba8ea79bf7.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer

Gurcu family

Gurcu, WhiteSnake

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 09:55

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 09:55

Reported

2023-09-14 09:58

Platform

win7-20230831-en

Max time kernel

12s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 2412 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 2412 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 1168 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1168 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1168 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1168 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1168 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1168 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1168 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1168 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1168 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1168 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 1168 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 1168 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:80 youtube.com tcp
US 104.16.29.98:80 blockchain.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 140.82.112.4:80 github.com tcp
US 104.16.29.98:80 blockchain.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
NL 216.58.214.14:443 youtube.com tcp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.112.4:443 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 2.18.121.136:80 apps.identrust.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 eset.com udp
SK 91.228.166.47:80 eset.com tcp
SK 91.228.166.47:80 eset.com tcp
US 8.8.8.8:53 www.eset.com udp
US 152.195.19.97:443 www.eset.com tcp
NL 149.154.167.99:80 telegram.org tcp
US 152.195.19.97:443 www.eset.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.112.4:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.112.4:443 github.com tcp
US 140.82.112.4:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.112.4:80 github.com tcp
US 140.82.112.4:443 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.112.4:80 github.com tcp
US 140.82.112.4:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.112.4:443 github.com tcp
US 140.82.112.4:80 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.112.4:443 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 140.82.112.4:443 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 152.195.19.97:443 www.eset.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp

Files

memory/2412-0-0x0000000000F10000-0x0000000000F78000-memory.dmp

memory/2412-1-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

memory/2412-2-0x000000001B240000-0x000000001B2C0000-memory.dmp

memory/2412-5-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

memory/2624-9-0x0000000000DC0000-0x0000000000E28000-memory.dmp

memory/2624-10-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

memory/2624-11-0x000000001ADC0000-0x000000001AE40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5EC6.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5F07.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-14 09:55

Reported

2023-09-14 09:58

Platform

win10v2004-20230831-en

Max time kernel

25s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5040 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 5040 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 1008 wrote to memory of 2456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1008 wrote to memory of 2456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1008 wrote to memory of 4188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1008 wrote to memory of 4188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1008 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1008 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1008 wrote to memory of 4428 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 1008 wrote to memory of 4428 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 4428 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\tar.exe
PID 4428 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\tar.exe
PID 4428 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4428 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1688 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1688 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpB66F.tmp" -C "C:\Users\Admin\AppData\Local\xtioxntk7k"

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 460 -p 1688 -ip 1688

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 blockchain.com udp
US 104.16.30.98:80 blockchain.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 98.30.16.104.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 youtube.com udp
US 104.16.30.98:80 www.blockchain.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
NL 216.58.214.14:80 youtube.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 216.58.214.14:443 youtube.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 216.58.214.14:443 youtube.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 eset.com udp
NL 149.154.167.99:80 telegram.org tcp
US 8.8.8.8:53 github.com udp
US 140.82.114.3:80 github.com tcp
SK 91.228.166.47:80 eset.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 www.eset.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 2.18.121.147:443 www.eset.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:80 github.com tcp
US 8.8.8.8:53 47.166.228.91.in-addr.arpa udp
US 8.8.8.8:53 3.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 147.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 140.82.114.3:443 github.com tcp
US 140.82.114.3:443 github.com tcp
US 140.82.114.3:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 8.8.8.8:53 google.com udp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 142.250.179.142:80 google.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 8.8.8.8:53 openai.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 13.107.213.67:80 openai.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 13.107.213.67:443 openai.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.213.107.13.in-addr.arpa udp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
DE 46.4.103.29:9001 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 ip-api.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 29.103.4.46.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
LT 185.25.51.138:9001 tcp
N/A 127.0.0.1:59661 tcp
US 199.184.246.250:9090 tcp
US 51.81.72.213:9001 tcp
CA 54.39.118.29:8080 tcp
US 8.8.8.8:53 250.246.184.199.in-addr.arpa udp
US 8.8.8.8:53 213.72.81.51.in-addr.arpa udp
US 8.8.8.8:53 29.118.39.54.in-addr.arpa udp
SK 91.228.166.47:80 eset.com tcp
NL 142.250.179.142:80 google.com tcp
US 2.18.121.147:443 www.eset.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 216.58.214.14:80 www.youtube.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 216.58.214.14:80 www.youtube.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
N/A 127.0.0.1:59751 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp

Files

memory/5040-0-0x000001E079BF0000-0x000001E079C58000-memory.dmp

memory/5040-1-0x00007FF8A3550000-0x00007FF8A4011000-memory.dmp

memory/5040-2-0x000001E07C1B0000-0x000001E07C1C0000-memory.dmp

memory/5040-6-0x00007FF8A3550000-0x00007FF8A4011000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/4428-11-0x00007FF8A3550000-0x00007FF8A4011000-memory.dmp

memory/4428-12-0x000001EADCFE0000-0x000001EADCFF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB66F.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt

MD5 c9bab38ab08f9d2a5b7bb3dac7bf11bc
SHA1 f335e2ad7336008b4c9c1c9ae19dd87f7b75d8b3
SHA256 c8373e5e408f240fd68ec98b001d44d2d38db7875a4591ec54a53c9c2bd6d551
SHA512 300f941c6e678e3821c32c6e204b0645e304cfbb004f21c992a0b96cb465e7bd31b081ec9942ca20bd57fde9fb4ce7e83139e76afd006e90b0a8801c0197e393

C:\Users\Admin\AppData\Local\xtioxntk7k\host\hostname

MD5 c0641012e3e2c2194a473cbd6cc12aee
SHA1 23e74513d4ba471db7e66152e9c0ef6e5cc02c70
SHA256 3532a833868ee006368fb1e1688a5643bae92077490b976a3c0fc8eadfe14883
SHA512 d88d20e0ea07ca70fd6b8b7567a4540c7de3b67c48b3d068212144b9ed8c06a03db3672f8b5203988c1360d6ca9576e0e119254604b0bf0a42ced8dd6627aa84

memory/4428-40-0x00007FF8A3550000-0x00007FF8A4011000-memory.dmp

C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdesc-consensus.tmp

MD5 66b05e5a36ed21e186b6797987197037
SHA1 5f23d4e7844092521d4881d0cb902db77f134f6d
SHA256 3bcb19e6608f1eba65437093adfb1650a6e3bcea8e947581fd0aabc857046dcd
SHA512 dc05b5ad301ad8a0537a94ae6addf603674dac371ae4311ef3d139024ca7f7b2d6553bb1598aeebae063795f281ee79c68738db84e544aad76ea859ab3812baa

memory/4428-49-0x000001EADCFE0000-0x000001EADCFF0000-memory.dmp

C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdescs.new

MD5 d548e1967ffd6bccf122b2e49c33adc7
SHA1 2bce6d111d9de0feb8655f1034f6cf7fb4e6a154
SHA256 79a2f916a0af9030daceea148d19fa4b0e3d85d5e1f05bd9af102dbb27f4bc4b
SHA512 f5bab497c8134851547d6349c62f7207a03401d47d7bbd72a7fea50b71b6d8e54886270ad3fc3e0836b7efdbfb918d17205d3efbe9bd74a5d7e20a04fcbc48f6

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

memory/1688-56-0x00007FF8A3550000-0x00007FF8A4011000-memory.dmp

memory/1688-69-0x0000013E6C160000-0x0000013E6C170000-memory.dmp

C:\Users\Admin\AppData\Local\xtioxntk7k\port.dat

MD5 a7c9585703d275249f30a088cebba0ad
SHA1 c7780966d9736816247a259aa8b61192868561f0
SHA256 2b169d27d9e55e10515caf1114f67aa60ad2c1021a1a43077fc05103b68013aa
SHA512 55532047dac2d4f6291798a4fae9791eb1fabc1b2e0903557577f7f304f14783103ebe028bdfeb8c87dd0734e57f3e6d739f8dd6ced5f82991d5d253aeae24be

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192