Malware Analysis Report

2024-10-19 06:41

Sample ID 240410-c6g14scb46
Target x19a4f9f3d16fcc9779ba8ea79bf7.exe
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
Tags
gurcu collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

Threat Level: Known bad

The file x19a4f9f3d16fcc9779ba8ea79bf7.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer

Gurcu, WhiteSnake

Gurcu family

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Reads WinSCP keys stored on the system

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of WriteProcessMemory

outlook_office_path

Runs ping.exe

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 02:41

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 02:41

Reported

2024-04-10 03:33

Platform

win7-20240221-en

Max time kernel

72s

Max time network

915s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 2344 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 2344 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 2248 wrote to memory of 3000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2248 wrote to memory of 3000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2248 wrote to memory of 3000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2248 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2248 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2248 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2248 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2248 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2248 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2248 wrote to memory of 2536 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2248 wrote to memory of 2536 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2248 wrote to memory of 2536 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2816 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2816 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2816 wrote to memory of 1324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2536 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 2536 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 2536 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 2816 wrote to memory of 1136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2816 wrote to memory of 1136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2816 wrote to memory of 1136 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {DB1FEC34-8504-48EE-ACA6-0A1E9882E317} S-1-5-21-778096762-2241304387-192235952-1000:AYFLYVMK\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2536 -s 4528

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 eset.com udp
GB 20.26.156.215:80 github.com tcp
US 104.16.29.98:80 blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:80 telegram.org tcp
GB 216.58.204.78:80 youtube.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 104.16.29.98:80 blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
SK 91.228.166.47:80 eset.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
GB 216.58.204.78:443 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
US 8.8.8.8:53 www.eset.com udp
US 8.8.8.8:53 www.blockchain.com udp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:80 github.com tcp
BE 104.117.77.144:443 www.eset.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.171:80 apps.identrust.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 pornhub.com udp
US 66.254.114.41:80 pornhub.com tcp
US 8.8.8.8:53 ip-api.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp

Files

memory/2344-0-0x00000000003D0000-0x0000000000438000-memory.dmp

memory/2344-1-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/2344-2-0x000000001B3B0000-0x000000001B430000-memory.dmp

memory/2344-5-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

memory/2536-9-0x00000000013A0000-0x0000000001408000-memory.dmp

memory/2536-10-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

memory/2536-11-0x0000000001310000-0x0000000001390000-memory.dmp

memory/1324-14-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

memory/1324-15-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9263.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar9519.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41d05c819ab706771276c3d34c8768a6
SHA1 4a03d46ea91526b1f91987ec02bddbfdb10aceb5
SHA256 74d42eaa6f0502e6a7ae75f04ae4d4ae25727b990deb8d7412e86c0ecca75fb5
SHA512 56e603017c513c8f252f937a093b574d38126dc1e67e4eef0605fbf09e90ac19b2c83970fea93cf5e100921e1f79b5f2ef08fa2efc10ea4ad1861b6e203ca4ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4d3efa0154bb7376ce3156d59251671
SHA1 28b5cfa245bb9644804d89feda91531f7dc6ee5e
SHA256 88ad5a58f6f1d15b4ff5ad0c92b2c8ea78356ec343706c42855204b9dc5afac6
SHA512 f0fec8af7343e0de4c67e81d339a200de4c32cec357faae55c40aa10e9d2b0081f32b100cdf8e4aa8a44c25e4d106d05926a580212f96f7ec68ecbcf4ad30548

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d169f33720f9f98772a0795ea452356
SHA1 db1df49bdff5091fa33dd4a3aa4b0921379dfdda
SHA256 de5fb1fc6fab4579a255c7e0a8e67ba2fae933b3763a8f1b2919a52e09c0798d
SHA512 e6a5b83e4411e54c0d74aeaae2f0a03501690b57a7c7a16f2820941c653840508908964296d8d4e74dd98ac3da68fb6b95a8f61aee628ba12426d2b8138c95e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37d52fb5bcb22c9a51cccc55b3e9523d
SHA1 2bcb0b3a4f433b5127a3099eb1018208c7936ec3
SHA256 2bfdf159ca9c75e344062410ee72e49dc6c85e613bcd8aac246e48360f3a2f24
SHA512 7315dfbaa11bf92c0959e2bed201c6e6a3dc64e0f2edaf5fa5dccb4f6f193006670a38092ee93a448aa691a9275639eb3af9d96f17b8fc5e1da9ca689bbe0db1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfa09e78fc1bf2496f9717e7a043dd72
SHA1 61ef35bba4e36eaab75f7ae072f74e4669b91c8d
SHA256 c82835bb6ddb8917fa445b3f05a0eab88a4d474a56aaa5155db76f7f93d627fa
SHA512 bb8b07c44404724ca0f1ec3f5aacaadc6aecba2b878fc136c82df6eb6275f4528bc9fee0587437da47c6c26f38f81aee4fe7468bc3480ab02d170b7ee1a339a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d45e8caa252f5903d4dd3451562e1f38
SHA1 64cb24b828b82df8c203a1a9889796f3c891de69
SHA256 af475746251dbc42c74f65078cb9708c5842a308b205664ed9c10d2a06b252b7
SHA512 2c65cc97ab61b304863384e581e75067e7a9bf322f5856755b373c51e41b89cd3fd938a35de50a49267e98d12d41ef00fc70c407e06472b84916037aaa74e313

memory/2536-390-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

memory/1136-392-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

C:\Users\Admin\AppData\Local\xtioxntk7k\port.dat

MD5 de6b1cf3fb0a3aa1244d30f7b8c29c41
SHA1 8e935923792cf99b005ffff6392055b2d52d759e
SHA256 4121d897f5b0418233c291f0e14442ad25d02d2186daaf2ebf33f92bb5bcda46
SHA512 d9aba91345f67de6d86d3f3173be66eabbaa734bf067517f815d0b5bb07630c5f55fbb6cc8a93f387d907ca2b4e901b6b5442f4ec49a5c38147a09138b0fcc41

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 02:41

Reported

2024-04-10 03:35

Platform

win10-20240404-en

Max time kernel

9s

Max time network

1120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 google.com udp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
US 8.8.8.8:53 blockchain.com udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 104.16.29.98:80 blockchain.com tcp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.29.98:80 blockchain.com tcp
GB 216.58.204.78:443 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.29.16.104.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 98.30.16.104.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp

Files

memory/1000-0-0x0000016647390000-0x00000166473F8000-memory.dmp

memory/1000-1-0x00007FFF2CBC0000-0x00007FFF2D5AC000-memory.dmp

memory/1000-4-0x0000016661910000-0x0000016661920000-memory.dmp

memory/1000-6-0x00007FFF2CBC0000-0x00007FFF2D5AC000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

MD5 a908a7c6e93edeb3e400780b6fe62dde
SHA1 36e2b437f41443f6b41b45b35a0f97b2cd94123d
SHA256 cae801b0499949178298c1c1a083f7c0febb971d262be9c9588437af66c76ef0
SHA512 deb437dcb1440d37bcd61dfa43be05fd01856a1d1e59aa5b2dfa142e9ae584b0577eea024edb99d8e74e3a1b606bb7ae3b4f9cd8eb30813e67dda678b9319cbe

memory/2692-11-0x00007FFF2CBC0000-0x00007FFF2D5AC000-memory.dmp

memory/2692-12-0x0000019FFBD30000-0x0000019FFBD40000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-10 02:41

Reported

2024-04-10 03:35

Platform

win10v2004-20240319-en

Max time kernel

1196s

Max time network

1203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 1920 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 4408 wrote to memory of 4828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4408 wrote to memory of 4828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4408 wrote to memory of 484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4408 wrote to memory of 484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4408 wrote to memory of 3580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4408 wrote to memory of 3580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4408 wrote to memory of 2088 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 4408 wrote to memory of 2088 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2088 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\tar.exe
PID 2088 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\tar.exe
PID 2088 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 2088 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5584 wrote to memory of 5680 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5584 wrote to memory of 5680 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5416 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5416 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 2340 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 2340 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5788 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5788 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3276 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3276 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 780 wrote to memory of 5288 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 780 wrote to memory of 5288 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5956 wrote to memory of 5140 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5956 wrote to memory of 5140 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1876 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1876 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 6096 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 6096 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1436 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1436 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4020 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4020 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5940 wrote to memory of 5604 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5940 wrote to memory of 5604 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5900 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5900 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4160 wrote to memory of 5620 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4160 wrote to memory of 5620 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3160 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3160 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5280 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5280 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4024 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4024 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4736 wrote to memory of 5900 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4736 wrote to memory of 5900 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 2508 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 2508 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3692 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3692 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp9059.tmp" -C "C:\Users\Admin\AppData\Local\xtioxntk7k"

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5108 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 youtube.com udp
US 104.16.30.98:80 blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:80 blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 www.blockchain.com udp
GB 216.58.204.78:443 youtube.com tcp
US 8.8.8.8:53 telegram.org udp
GB 216.58.204.78:443 youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 98.30.16.104.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 104.16.30.98:443 www.blockchain.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 eset.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 www.eset.com udp
BE 104.117.77.144:443 www.eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
BE 104.117.77.144:443 www.eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 47.166.228.91.in-addr.arpa udp
US 8.8.8.8:53 144.77.117.104.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 openai.com udp
US 13.107.246.64:80 openai.com tcp
US 13.107.246.64:443 openai.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
US 74.82.47.194:9001 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 194.47.82.74.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
N/A 127.0.0.1:49915 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
IE 94.245.104.56:443 tcp
US 8.8.8.8:53 ip-api.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 208.95.112.1:80 ip-api.com tcp
GB 51.140.242.104:443 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
DE 87.118.116.103:443 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
FI 95.216.2.172:8081 tcp
FR 145.239.41.102:9100 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 103.116.118.87.in-addr.arpa udp
US 8.8.8.8:53 102.41.239.145.in-addr.arpa udp
US 8.8.8.8:53 172.2.216.95.in-addr.arpa udp
SK 91.228.166.47:80 eset.com tcp
BE 104.117.77.144:443 www.eset.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
GB 20.26.156.215:80 github.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 51.11.108.188:443 tcp
US 104.16.30.98:443 www.blockchain.com tcp
N/A 127.0.0.1:50013 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 83.137.50.106:8500 tcp
GB 13.105.221.15:443 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 pornhub.com udp
US 66.254.114.41:80 pornhub.com tcp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
GB 142.250.200.14:80 google.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 www.eset.com udp
BE 104.117.77.144:443 www.eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 104.16.30.98:443 www.blockchain.com tcp
N/A 127.0.0.1:50086 tcp
RU 83.137.50.106:8500 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 66.254.114.41:80 pornhub.com tcp
DE 144.76.136.153:443 transfer.sh tcp
GB 216.58.204.78:80 www.youtube.com tcp
NL 149.154.167.99:80 telegram.org tcp
GB 216.58.204.78:80 www.youtube.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
GB 142.250.200.14:80 google.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
N/A 127.0.0.1:50126 tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp
US 96.43.85.54:9002 tcp
GB 216.58.204.78:80 www.youtube.com tcp
DE 144.76.136.153:443 transfer.sh tcp
US 66.254.114.41:80 pornhub.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 96.43.85.54:9002 tcp
N/A 127.0.0.1:50154 tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 youtube.com udp
N/A 127.0.0.1:50167 tcp
GB 216.58.204.78:80 youtube.com tcp
GB 142.250.200.14:80 google.com tcp
DE 144.76.136.153:443 transfer.sh tcp
GB 216.58.204.78:443 youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 66.254.114.41:80 pornhub.com tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 blockchain.com udp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.29.98:80 blockchain.com tcp
N/A 127.0.0.1:50194 tcp
US 104.16.29.98:80 blockchain.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 98.29.16.104.in-addr.arpa udp
DE 144.76.136.153:443 transfer.sh tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 openai.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 13.107.213.64:80 openai.com tcp
US 13.107.213.64:443 openai.com tcp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 64.213.107.13.in-addr.arpa udp
US 104.16.29.98:80 www.blockchain.com tcp
US 8.8.8.8:53 youtube.com udp
US 104.16.29.98:80 www.blockchain.com tcp
US 8.8.8.8:53 google.com udp
GB 216.58.204.78:80 youtube.com tcp
GB 142.250.200.14:80 google.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 216.58.204.78:443 youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
N/A 127.0.0.1:50221 tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
GB 142.250.200.14:80 google.com tcp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 github.com udp
US 104.16.29.98:80 www.blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 20.26.156.215:80 github.com tcp
GB 216.58.204.78:443 youtube.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 216.58.204.78:443 youtube.com tcp
N/A 127.0.0.1:50249 tcp
RU 83.137.50.106:8500 tcp
US 66.254.114.41:80 pornhub.com tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
DE 144.76.136.153:443 transfer.sh tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
GB 142.250.200.14:80 google.com tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
RU 83.137.50.106:8500 tcp
N/A 127.0.0.1:50282 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 openai.com udp
US 13.107.246.64:80 openai.com tcp
US 13.107.246.64:443 openai.com tcp
DE 144.76.136.153:443 transfer.sh tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.14:80 google.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
N/A 127.0.0.1:50306 tcp
DE 144.76.136.153:443 transfer.sh tcp
RU 83.137.50.106:8500 tcp
US 66.254.114.41:80 pornhub.com tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 blockchain.com udp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 104.16.30.98:80 blockchain.com tcp
GB 216.58.204.78:443 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
N/A 127.0.0.1:50325 tcp
DE 144.76.136.153:443 transfer.sh tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.30.98:80 blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 216.58.204.78:443 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 openai.com udp
US 13.107.213.64:80 openai.com tcp
US 13.107.213.64:443 openai.com tcp
DE 144.76.136.153:443 transfer.sh tcp
N/A 127.0.0.1:50349 tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
GB 142.250.200.14:80 google.com tcp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 github.com udp
GB 142.250.200.14:80 google.com tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 20.26.156.215:80 github.com tcp
N/A 127.0.0.1:50383 tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 blockchain.com udp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.29.98:80 blockchain.com tcp
N/A 127.0.0.1:50397 tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
DE 144.76.136.153:443 transfer.sh tcp
RU 83.137.50.106:8500 tcp
GB 142.250.200.14:80 google.com tcp
US 104.16.29.98:80 blockchain.com tcp
US 104.16.29.98:80 blockchain.com tcp
US 8.8.8.8:53 youtube.com udp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
JP 139.162.97.121:8009 tcp
N/A 127.0.0.1:50419 tcp
US 96.43.85.54:9002 tcp
US 66.254.114.41:80 pornhub.com tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
DE 144.76.136.153:443 transfer.sh tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.29.98:80 blockchain.com tcp
GB 142.250.200.14:80 google.com tcp
US 104.16.29.98:80 blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
US 104.16.30.98:443 blockchain.com tcp
GB 216.58.204.78:443 youtube.com tcp
US 104.16.30.98:443 blockchain.com tcp
N/A 127.0.0.1:50450 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 google.com udp
DE 144.76.136.153:443 transfer.sh tcp
GB 142.250.200.14:80 google.com tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 blockchain.com udp
GB 20.26.156.215:80 github.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
NL 149.154.167.99:80 telegram.org tcp
GB 216.58.204.78:443 youtube.com tcp
US 104.16.29.98:80 blockchain.com tcp
GB 216.58.204.78:443 youtube.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.29.98:80 blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 www.youtube.com udp
N/A 127.0.0.1:50484 tcp
US 8.8.8.8:53 openai.com udp
US 13.107.213.64:80 openai.com tcp
US 8.8.8.8:53 openai.com udp
US 13.107.246.64:443 openai.com tcp
DE 144.76.136.153:443 transfer.sh tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 66.254.114.41:80 pornhub.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 blockchain.com udp
GB 216.58.204.78:80 www.youtube.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.29.98:80 blockchain.com tcp
US 104.16.29.98:80 blockchain.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
DE 144.76.136.153:443 transfer.sh tcp
N/A 127.0.0.1:50513 tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
DE 144.76.136.153:443 transfer.sh tcp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.29.98:80 blockchain.com tcp
US 8.8.8.8:53 google.com udp
US 104.16.29.98:80 blockchain.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
GB 142.250.200.14:80 google.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
N/A 127.0.0.1:50542 tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 66.254.114.41:80 pornhub.com tcp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 youtube.com udp
RU 83.137.50.106:8500 tcp
N/A 127.0.0.1:50563 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 142.250.200.14:80 google.com tcp
DE 144.76.136.153:443 transfer.sh tcp

Files

memory/1920-0-0x000002F549A00000-0x000002F549A68000-memory.dmp

memory/1920-1-0x00007FFE395D0000-0x00007FFE3A091000-memory.dmp

memory/1920-4-0x000002F563FC0000-0x000002F563FD0000-memory.dmp

memory/1920-6-0x00007FFE395D0000-0x00007FFE3A091000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/2088-11-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/2088-12-0x000001F991580000-0x000001F991590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9059.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt

MD5 7b4f5dfebae302c53c8ea07a84964195
SHA1 e4cbb6ebaa41e76327430ce89486311ddda3f256
SHA256 eb7d33350e664151202b8c653132aa0d7eb92811318ba30c59ff0488e3f264ee
SHA512 4b446c902c73fc630e1fea5686b11f83b3b62b6772f0ce0e57124304cee33500771f03901845e4b3229fe420ae9a3c915a2d6d3d2e85ad4ada5252f9b1389ccd

C:\Users\Admin\AppData\Local\xtioxntk7k\host\hostname

MD5 5d92a368434f582497a089373fa54acb
SHA1 11867637e496d3fd7bf478da8e994303f088e2bd
SHA256 ef70f1729027bee843076ee38b3d7c5b2dafd1f42fde6c7817057cb6cf1a1184
SHA512 4c557bfbe6234cbaee158f31cdef41533605c682ce1b73d86706c9a89184ac9ef5b090e1e163ba1c6cd56bff11827502ec389e44e211c651114cdc3325c70828

C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdesc-consensus.tmp

MD5 a0db8a87f7b723266c8b04255da46b06
SHA1 4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf
SHA256 60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3
SHA512 41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

memory/5584-53-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5584-54-0x00000244B2D30000-0x00000244B2D40000-memory.dmp

C:\Users\Admin\AppData\Local\xtioxntk7k\port.dat

MD5 f40438b554cc0e3d96ee6064c5798f55
SHA1 e3d09d110ffd832db5c5683ac611ac8562dff28d
SHA256 a51baee973742433352aef2a7d0206026abe4c804c3f8bbbafd92a740ab78386
SHA512 16657accccfce59d627b1723db5c30bc8b3248bccecaceafcc0d65df1e1ba361e839aea091103cbf8661f4787a5f7903f23cd03fdea0c378fc9888f8e403cc50

memory/5584-57-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdescs.new

MD5 ec98fbf91d51bc8bb3f42e55ec1d8507
SHA1 d1f16ee570081561947a5a3c51ec3fbaec36708c
SHA256 a3af7dff2364e90eb3500815e0fbc00a243af3b14534b1b299cb72c507003ba5
SHA512 2a54f40f6f51d0586f318abe1408e4db3213f2b43efa0dc58dd6cf1d11140b074f61484762e7b62e8950d18fdd8da57abb92239daa4a5bc860ad6f35fde6faa0

memory/2088-67-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/2088-75-0x000001F991580000-0x000001F991590000-memory.dmp

memory/5416-89-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5416-90-0x0000014256E50000-0x0000014256E60000-memory.dmp

memory/5416-92-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/2340-98-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/2340-100-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5788-106-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5788-108-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/3276-110-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/3276-112-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/780-126-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/780-128-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5956-134-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5956-136-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/1876-138-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/1876-140-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/6096-154-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/6096-156-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/1436-162-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/1436-164-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/4020-170-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/4020-172-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5940-182-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5940-184-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5900-194-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5900-196-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/4160-202-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/4160-204-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/3160-214-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/3160-216-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5280-226-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/5280-227-0x000001CA786F0000-0x000001CA78700000-memory.dmp

memory/5280-229-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/4024-235-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/4024-237-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/4736-247-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/4736-249-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/2508-255-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/2508-261-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/3692-271-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

memory/3692-273-0x00007FFE380B0000-0x00007FFE38B71000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-10 02:41

Reported

2024-04-10 03:36

Platform

win11-20240319-en

Max time kernel

14s

Max time network

926s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4944 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 4944 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 3648 wrote to memory of 4676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3648 wrote to memory of 4676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3648 wrote to memory of 2604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3648 wrote to memory of 2604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3648 wrote to memory of 1012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3648 wrote to memory of 1012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3648 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 3648 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2768 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\tar.exe
PID 2768 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\tar.exe
PID 2768 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 2768 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp9664.tmp" -C "C:\Users\Admin\AppData\Local\xtioxntk7k"

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
GB 216.58.204.78:80 www.youtube.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 104.16.30.98:80 blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 98.30.16.104.in-addr.arpa udp
US 8.8.8.8:53 98.29.16.104.in-addr.arpa udp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:80 telegram.org tcp
GB 142.250.200.14:80 google.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.29.98:443 blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.29.98:443 blockchain.com tcp
BE 104.117.77.144:443 www.eset.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.29.98:443 blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
DE 178.254.6.130:443 tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
DE 185.220.101.203:8443 tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
N/A 127.0.0.1:49820 tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp
US 104.16.29.98:443 blockchain.com tcp

Files

memory/4944-0-0x000001F16B6C0000-0x000001F16B728000-memory.dmp

memory/4944-1-0x00007FFE95A20000-0x00007FFE964E2000-memory.dmp

memory/4944-2-0x000001F16DE60000-0x000001F16DE70000-memory.dmp

memory/4944-6-0x00007FFE95A20000-0x00007FFE964E2000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

MD5 486ebddc86ea8b3e965d390d22283a23
SHA1 eaffc047f067084867e8575c576a9ec60e094ba8
SHA256 50a57273ecb794e53b0622eb841341e2643c11f53fa47356e6e754ab2268171d
SHA512 0a50ba02250b38355a6f4fb94e40c61258a74031d9aea7cdf675f3e068f39ec0748ecf292aaf2f94b1963b9d66516ee79aa6c552617048e248774af0ff07189d

memory/2768-11-0x00007FFE95A20000-0x00007FFE964E2000-memory.dmp

memory/2768-12-0x000002927B4B0000-0x000002927B4C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9664.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt

MD5 53bd2ff460d4c3fb3c787f25625b9741
SHA1 9ae44ff71af5776ee22d412c0b42d39b9fc44171
SHA256 cb7254e44d9f0ec9a269b21b60156b29b131aa4e502b9c5a331a737359f0528e
SHA512 42569e629cd14cf5fc9d5a00bbd7531ed08ac782fa7165410de6e96b4ca46d4760bc143ffb73ad405bd67e0a42b0ac58665cdc2b9329b17aa7fe7b97d31cd27c

C:\Users\Admin\AppData\Local\xtioxntk7k\host\hostname

MD5 abd480046d79d75c69f8c3376754d40b
SHA1 f8f89e78d54ccd44a2dd7c7403b8baa427339417
SHA256 2b89777fe64106c82ac66e4485405f8191deddbcc0ed7dc7ae52efc9271c0377
SHA512 a3f3f08492e9c48fb0a00262f03a34f3a95f3606650cb4edb8bd47fc3df995ac0d184d4ecae718925616ebfdd56cadf6dc43d73b7e81bc5219f269b49ae18598