Malware Analysis Report

2024-10-19 06:43

Sample ID 230914-maw59sea54
Target k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
SHA256 d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f
Tags
gurcu collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f

Threat Level: Known bad

The file k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer

Gurcu family

Gurcu, WhiteSnake

Reads user/profile data of web browsers

Deletes itself

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 10:16

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 10:16

Reported

2023-09-14 10:18

Platform

win7-20230831-en

Max time kernel

10s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe C:\Windows\System32\cmd.exe
PID 2800 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2800 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2800 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2800 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2800 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2800 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2800 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2800 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2800 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2800 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
PID 2800 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
PID 2800 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

"C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

"C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 github.com udp
NL 216.58.214.14:80 youtube.com tcp
NL 216.58.214.14:80 youtube.com tcp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.30.98:80 blockchain.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 140.82.113.4:80 github.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
NL 216.58.214.14:443 youtube.com tcp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 8.8.8.8:53 eset.com udp
US 104.16.30.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 140.82.113.4:443 github.com tcp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 www.eset.com udp
US 2.18.121.146:443 www.eset.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.136:80 apps.identrust.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.113.4:443 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 140.82.113.4:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp

Files

memory/2552-0-0x0000000000CC0000-0x0000000000D1C000-memory.dmp

memory/2552-1-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

memory/2552-2-0x000000001B450000-0x000000001B4D0000-memory.dmp

memory/2552-5-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

MD5 1cab66a5c15f97f040fb23d354d04a9c
SHA1 f0dbebd22b2c7bfedbefa4435b345c58416f9448
SHA256 d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f
SHA512 a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

MD5 1cab66a5c15f97f040fb23d354d04a9c
SHA1 f0dbebd22b2c7bfedbefa4435b345c58416f9448
SHA256 d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f
SHA512 a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab

memory/2484-9-0x0000000000340000-0x000000000039C000-memory.dmp

memory/2484-10-0x000007FEF4FA0000-0x000007FEF598C000-memory.dmp

memory/2484-11-0x00000000004C0000-0x0000000000540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6D76.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar6E82.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 174c291360c37eb18856993e912d04f1
SHA1 13df7cc258e54ed5b94540da34a6ecffc4c5b2ac
SHA256 2ef279e1bd898e2a94f3d249b6185604cd93c2534a606d15a6dab8374d9a8c18
SHA512 eca442a238534848e27a292f73bf40863884205e64c189144d8ef18228c4c22142c6759ad65958e29a1d9641e44fb76ad1cae0d55cd0a7ae10c985da163b8112

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-14 10:16

Reported

2023-09-14 10:19

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe C:\Windows\System32\cmd.exe
PID 2916 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe C:\Windows\System32\cmd.exe
PID 2292 wrote to memory of 520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2292 wrote to memory of 520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2292 wrote to memory of 4132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2292 wrote to memory of 4132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2292 wrote to memory of 3244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2292 wrote to memory of 3244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2292 wrote to memory of 3620 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
PID 2292 wrote to memory of 3620 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
PID 3620 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe C:\Windows\System32\tar.exe
PID 3620 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe C:\Windows\System32\tar.exe
PID 3620 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
PID 3620 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

"C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

"C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp81C3.tmp" -C "C:\Users\Admin\AppData\Local\lcybndk48g"

C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe

"C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 archive.torproject.org udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 104.16.29.98:80 blockchain.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 104.16.29.98:80 blockchain.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 www.blockchain.com udp
NL 216.58.214.14:443 youtube.com tcp
NL 216.58.214.14:443 youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 8.8.8.8:53 98.29.16.104.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 98.30.16.104.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 eset.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 www.eset.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 2.18.121.146:443 www.eset.com tcp
US 8.8.8.8:53 47.166.228.91.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 google.com udp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
NL 142.250.179.142:80 google.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 2.18.121.146:443 www.eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 146.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 telegram.org udp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.29.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
CH 176.10.119.69:9001 tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 2.18.121.146:443 www.eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
DE 138.201.250.33:9011 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:443 github.com tcp
US 140.82.114.3:443 github.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
N/A 127.0.0.1:55194 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:443 github.com tcp
US 8.8.8.8:53 3.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 33.250.201.138.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 18.18.82.19:9001 tcp
NL 51.158.188.145:443 tcp
DE 144.76.166.141:9002 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 8.8.8.8:53 145.188.158.51.in-addr.arpa udp
US 8.8.8.8:53 141.166.76.144.in-addr.arpa udp
US 8.8.8.8:53 19.82.18.18.in-addr.arpa udp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
DE 144.76.166.141:9002 tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
SK 91.228.166.47:80 eset.com tcp
US 8.8.8.8:53 www.eset.com udp
US 2.18.121.146:443 www.eset.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/2916-0-0x0000028A2A630000-0x0000028A2A68C000-memory.dmp

memory/2916-1-0x00007FFF70630000-0x00007FFF710F1000-memory.dmp

memory/2916-3-0x0000028A2C270000-0x0000028A2C280000-memory.dmp

memory/2916-6-0x00007FFF70630000-0x00007FFF710F1000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

MD5 1cab66a5c15f97f040fb23d354d04a9c
SHA1 f0dbebd22b2c7bfedbefa4435b345c58416f9448
SHA256 d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f
SHA512 a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

MD5 1cab66a5c15f97f040fb23d354d04a9c
SHA1 f0dbebd22b2c7bfedbefa4435b345c58416f9448
SHA256 d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f
SHA512 a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/3620-11-0x00007FFF6F510000-0x00007FFF6FFD1000-memory.dmp

memory/3620-12-0x00000211F11F0000-0x00000211F1200000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp81C3.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt

MD5 b72a01d286be9556b57abd14c7a3934a
SHA1 68bdf78639dc3ccb16dc54bdbd46cb82509a29b4
SHA256 a15584b9fedcd2ce686bbd76e663bb2a697d14c07aeb0c57b0f79b5709618812
SHA512 e2bcd8aa2fdd5b8ee130522a3fb69697fa756da808bf93e582dbd314e87b5b43ffb139f87050ad6953a3be08b2d80261fd45dcde4be1c63c593ba88b1654a05a

C:\Users\Admin\AppData\Local\lcybndk48g\host\hostname

MD5 b38ba51282f51e8061804e1f4b735524
SHA1 43927d80700cb0857a2fb3d41ee1c8df8689203b
SHA256 350ad4e8baba0f1c50bca073b0c4deb96ead5b10933f7262c5f0541859bf596a
SHA512 067fb113af017e5c8261eb35a218d167056e5725df7a39cbdee7d6bda3288c85f250e6abee5dbafbfe8db98c066d97bf8a526ca88b06180993f2b074e646b7be

C:\Users\Admin\AppData\Local\lcybndk48g\data\cached-microdesc-consensus.tmp

MD5 8f4baf1bd0a79cd74deae40a54208173
SHA1 4a3d378b958e3e7ab633f46bb97232813ad5e0ed
SHA256 b28e8d51120a7148ed0656c141667c5f9eff38f17288795a10ccf09b3edbc809
SHA512 fa37e67a2c66df6bd3d29599da2052bac69c9d27111e8055827bbb115204c50486b040d9709f45ffa3e64c0d449f52a16a57938624ca7677e3cbac3c8e06be8a

memory/3620-48-0x00007FFF6F510000-0x00007FFF6FFD1000-memory.dmp

memory/3620-53-0x00000211F11F0000-0x00000211F1200000-memory.dmp

C:\Users\Admin\AppData\Local\lcybndk48g\data\cached-microdescs.new

MD5 eeee92bc9f92d67fdd5ce882e8849921
SHA1 e8b34b9c404dc4feb98c5fa980e2325aebd329c2
SHA256 18f4882d8c442aed7d4d4207ac428547b2ea66d2501adb113b970424a15c5f3f
SHA512 7a77a85dc7980a7e318c6d1b139ffe8d9967915e1f884e2eca2ab35e6f71d3db65985e387a9d002f06530733e93a9a5478f42768c377a14bb69fb50f5486987e

C:\Users\Admin\AppData\Local\lcybndk48g\data\cached-microdescs.new

MD5 d70bd41c39d6663a8bf2677fb53771d9
SHA1 61b1d8c1e3a20abc632b7c64a7a4935fdf1ad8b0
SHA256 caffc45aef83455514e6f269dd001f3bcd12f9f3927179013052ac5fe0d7ac36
SHA512 1c87d52d281e651860b3243150b99308aeb9c697d46799d987b7f375b87f99d24977b6385563c12149461b8caa58d3f8b835bb2757ff832b04b782a2eb6b92df