Malware Analysis Report

2024-10-19 06:41

Sample ID 231014-bysbfahh6s
Target x19a4f9f3d16fcc9779ba8ea79bf7.exe
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
Tags
gurcu collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

Threat Level: Known bad

The file x19a4f9f3d16fcc9779ba8ea79bf7.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer

Gurcu family

Gurcu, WhiteSnake

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of WriteProcessMemory

Runs ping.exe

Uses Task Scheduler COM API

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-14 01:33

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 01:33

Reported

2023-10-14 14:52

Platform

win7-20230831-en

Max time kernel

117s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 1696 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 1696 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 3016 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3016 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3016 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3016 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3016 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3016 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3016 wrote to memory of 2752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3016 wrote to memory of 2752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3016 wrote to memory of 2752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3016 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 3016 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 3016 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2696 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 2696 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 2696 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 240 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 240 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 240 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2404 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 2404 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 2404 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2696 -s 2288

C:\Windows\system32\taskeng.exe

taskeng.exe {EA72F54E-0C41-4EB6-838F-8BDB566FD890} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2404 -s 3152

Network

Country Destination Domain Proto
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 google.com udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 140.82.114.3:80 github.com tcp
NL 142.250.179.142:80 google.com tcp
US 140.82.114.3:80 github.com tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.30.98:80 blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.30.98:80 blockchain.com tcp
NL 216.58.214.14:80 www.youtube.com tcp
NL 216.58.214.14:80 www.youtube.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 www.eset.com udp
US 8.8.8.8:53 www.eset.com udp
NL 23.72.252.169:443 www.eset.com tcp
NL 23.72.252.139:443 www.eset.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 140.82.114.3:443 github.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 pornhub.com udp
US 140.82.114.3:443 github.com tcp
US 66.254.114.41:80 pornhub.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 66.254.114.41:443 pornhub.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 8.8.8.8:53 www.pornhub.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 154.61.71.13:80 tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 216.58.214.14:80 www.youtube.com tcp
NL 216.58.214.14:80 www.youtube.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
SK 91.228.166.47:80 eset.com tcp
NL 149.154.167.99:80 telegram.org tcp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 8.8.8.8:53 www.eset.com udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 66.254.114.41:80 www.pornhub.com tcp
SK 91.228.166.47:80 eset.com tcp
NL 23.72.252.169:443 www.eset.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 23.72.252.169:443 www.eset.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:443 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 66.254.114.41:443 www.pornhub.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 154.61.71.13:80 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp

Files

memory/1696-0-0x0000000000A70000-0x0000000000AD8000-memory.dmp

memory/1696-1-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

memory/1696-2-0x000000001AF20000-0x000000001AFA0000-memory.dmp

memory/1696-5-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

memory/2696-9-0x0000000000D90000-0x0000000000DF8000-memory.dmp

memory/2696-10-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

memory/2696-11-0x0000000000B80000-0x0000000000C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB9D0.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarB9F3.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c0edf87622bde0c293b6215e03e3e5c
SHA1 513b42b377dd31b08c90c210b58e934ad42a9649
SHA256 ff6c057d5af334a966c8954f4aceb6009bbee4eb31823d40c0760dba94cd4bba
SHA512 a81b2f58fde035c3766c77feca6c33e3a8eb42f449151cfe41faa90f592cfcfb92a38edaee596d9c6415d11be50a035a28ec2d1ea49c590fd2c73d356794ddf3

memory/2696-68-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

memory/2696-69-0x0000000000B80000-0x0000000000C00000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

memory/2404-71-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

memory/2404-72-0x000000001A6E0000-0x000000001A760000-memory.dmp

C:\Users\Admin\AppData\Local\xtioxntk7k\port.dat

MD5 084a8a9aa8cced9175bd07bc44998e75
SHA1 e37a48cf1f5105f9d44f6f54baf6195ce9be8e14
SHA256 54a9075c64e82a300d2a7ddbad5d23b29714f544ac3acfc91536afdd595d488b
SHA512 3fb265115de9e161cdd5e2004043bc4366189a91396fe8ba1dd09ea959687ca15a23d0e6ca8de6be0caf9f650a487a0c58aa9e54579118103163437ac0cc34dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e74b212b9abc9cd622ded4ef7cd885e
SHA1 3ddeea2354cb7f36bf379b414dcbf20944c9d1d1
SHA256 60f6ed2af28b35571f2cdec9c7a4781b1a3a887b30f1a92ec9b1f4abfb0bbca7
SHA512 d8c81782a531f64978d95a50d5c0d8fc7a949edf20e774f884a93b8b5762cce9795ec7238b78245e87be316cb7e3200222bf18697d7c44a508b120dce72efd46

memory/2404-103-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 01:33

Reported

2023-10-14 14:50

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 1956 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 4428 wrote to memory of 4908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4428 wrote to memory of 4908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4428 wrote to memory of 4124 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4428 wrote to memory of 4124 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4428 wrote to memory of 428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4428 wrote to memory of 428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4428 wrote to memory of 3372 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 4428 wrote to memory of 3372 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 3372 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\tar.exe
PID 3372 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\tar.exe
PID 3372 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3372 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1152 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1152 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp141F.tmp" -C "C:\Users\Admin\AppData\Local\xtioxntk7k"

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 youtube.com udp
NL 149.154.167.99:80 telegram.org tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 140.82.114.4:80 github.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 104.16.30.98:80 blockchain.com tcp
NL 216.58.214.14:80 youtube.com tcp
NL 216.58.214.14:80 youtube.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 216.58.214.14:443 youtube.com tcp
NL 216.58.214.14:443 youtube.com tcp
US 140.82.114.4:443 github.com tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 98.30.16.104.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 104.16.30.98:80 blockchain.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 23.72.252.139:443 www.eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.4:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
SK 91.228.166.47:80 eset.com tcp
NL 23.72.252.139:443 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 47.166.228.91.in-addr.arpa udp
US 8.8.8.8:53 139.252.72.23.in-addr.arpa udp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.114.4:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.4:80 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:80 github.com tcp
US 140.82.114.4:80 github.com tcp
US 140.82.114.4:80 github.com tcp
US 140.82.114.4:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 140.82.114.4:443 github.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.4:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
DE 49.12.225.94:9001 tcp
US 216.250.119.225:9001 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 198.251.68.144:9001 tcp
US 8.8.8.8:53 144.68.251.198.in-addr.arpa udp
FR 141.94.247.114:9001 tcp
ES 212.227.149.79:443 tcp
US 8.8.8.8:53 114.247.94.141.in-addr.arpa udp
US 8.8.8.8:53 79.149.227.212.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 104.16.30.98:443 tcp
NL 142.250.179.142:80 google.com tcp
SK 91.228.166.47:80 tcp
US 104.16.30.98:443 tcp
US 8.8.8.8:53 udp
US 104.16.30.98:443 tcp
US 104.16.30.98:443 tcp
US 104.16.30.98:80 tcp
US 104.16.30.98:443 tcp
US 104.16.30.98:443 tcp
SK 91.228.166.47:80 tcp
US 104.16.30.98:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 104.16.30.98:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 104.16.30.98:443 tcp
US 8.8.8.8:53 udp
US 208.95.112.1:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 104.16.30.98:443 tcp
US 104.16.30.98:443 tcp
N/A 127.0.0.1:62974 tcp
US 8.8.8.8:53 pornhub.com udp
US 66.254.114.41:80 pornhub.com tcp
US 66.254.114.41:443 pornhub.com tcp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
NL 154.61.71.13:80 tcp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 openai.com udp
US 13.107.213.67:80 openai.com tcp
US 13.107.213.67:443 openai.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
NL 154.61.71.13:80 tcp
US 8.8.8.8:53 67.213.107.13.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
NL 142.250.179.142:80 google.com tcp
US 140.82.112.3:80 github.com tcp
NL 216.58.214.14:80 www.youtube.com tcp
NL 142.250.179.142:80 google.com tcp
US 140.82.112.3:443 github.com tcp
US 8.8.8.8:53 3.112.82.140.in-addr.arpa udp
N/A 127.0.0.1:63054 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/1956-0-0x00000218E7410000-0x00000218E7478000-memory.dmp

memory/1956-1-0x00007FF9A5FC0000-0x00007FF9A6A81000-memory.dmp

memory/1956-2-0x00000218E9980000-0x00000218E9990000-memory.dmp

memory/1956-6-0x00007FF9A5FC0000-0x00007FF9A6A81000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/3372-11-0x00007FF9A5FC0000-0x00007FF9A6A81000-memory.dmp

memory/3372-12-0x00000126A30B0000-0x00000126A30C0000-memory.dmp

memory/3372-14-0x00007FF9A5FC0000-0x00007FF9A6A81000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

memory/3372-17-0x00000126A30B0000-0x00000126A30C0000-memory.dmp

memory/1932-18-0x00007FF9A5FC0000-0x00007FF9A6A81000-memory.dmp

memory/1932-19-0x00007FF9A5FC0000-0x00007FF9A6A81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp141F.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt

MD5 60018be57cd1d65d3da55194bb572159
SHA1 07dd761fa81f85b90d5464ad6d57b1f111b081a6
SHA256 88a6ac7da833cff73111b4e282602144ff29eb4e8778ae5a67aee93a2f345490
SHA512 37cf9cd9fc189d05969ceff36dd33da34c6320e2d7e5fa74e02576e1d71a436934d21c321cf109577e33cae14d2a8e3870e38d3dcc83845fa9e64b55e994eadf

C:\Users\Admin\AppData\Local\xtioxntk7k\host\hostname

MD5 a8b78779e95434dc06a80c76f4b0da9c
SHA1 3db8aff20ce23ebd9ae3a3d54b2febf69b1be486
SHA256 5eca0d53e44f57eb9d238044ce9b25429e714cdb98a59bc30a5a3d54b0952f12
SHA512 3e887d61f4a8f585000f42d6903c4eaefb68146329e578cb3a28bcf97c1f5bae6c1580a31797497154b1d4cfec52fdbcc2f011087f78842ca3a222c133075715

C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdesc-consensus.tmp

MD5 b3ef94a3423ec1d2c0b63d3eff9c9fff
SHA1 74ba4b10cfb9ca4ee1b3c6bc318a5c765cf49df2
SHA256 8e17bbec63e22d1c3874023ba932ea3e03dbcc8116925fe893ff479d4bcfd9f1
SHA512 f6f1a685cb0844f82152da13f86042f8bd321f73cc0742c96cc8e14a55c53a9dd0cc227249f9bb60899d911e31ae4b28f72345957390e3a5c006e22cd57a6742

C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdescs.new

MD5 38c22e6f9ed628053ead296182d952ac
SHA1 28e03e5d648c0fcccc720b45d2ac45b1ba0e1af9
SHA256 836132fe182279e1ac22b570bfc38dbcfbf346d756151e4514fd478a753e9ec6
SHA512 2deeb260f49cbb3b76a6e4ef27bad5461f5ff6155aa60566705d6d0400bca818d5b1b21d3cf1fcddab5bd2df64a3a2cdd931a7cbb11d21e2cc78382ae8463b8f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

memory/1152-80-0x00007FF9A5FC0000-0x00007FF9A6A81000-memory.dmp

memory/1152-81-0x000001D45D210000-0x000001D45D220000-memory.dmp

C:\Users\Admin\AppData\Local\xtioxntk7k\port.dat

MD5 3a24b25a7b092a252166a1641ae953e7
SHA1 570a3e528618d879ad7ec0179beb7b3dede2d331
SHA256 f18af665c04861d0e2d82a1fd57687173267c064b089c264caaef3359daf7372
SHA512 ed7b3018966f3dd044b570750a3fc268a154c9ae27bcf19d1a65f54c00e3ae9f1befa3ea84214c9d3760b07ec16a9ca1ca844f36e45c95ede8f078c0d34071c3

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

memory/1152-84-0x00007FF9A5FC0000-0x00007FF9A6A81000-memory.dmp

memory/1152-85-0x000001D45D210000-0x000001D45D220000-memory.dmp

memory/1152-91-0x00007FF9A5FC0000-0x00007FF9A6A81000-memory.dmp