Malware Analysis Report

2024-10-19 06:41

Sample ID 240410-c6gqcacb45
Target x19a4f9f3d16fcc9779ba8ea79bf7.exe
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
Tags
gurcu collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

Threat Level: Known bad

The file x19a4f9f3d16fcc9779ba8ea79bf7.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer

Gurcu, WhiteSnake

Gurcu family

Reads user/profile data of web browsers

Deletes itself

Reads WinSCP keys stored on the system

Executes dropped EXE

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Runs ping.exe

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 02:41

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 02:41

Reported

2024-04-10 03:19

Platform

win10-20240404-en

Max time kernel

5s

Max time network

503s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 youtube.com udp
US 104.16.29.98:80 blockchain.com tcp
US 104.16.29.98:80 blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
SK 91.228.166.47:80 eset.com tcp
US 8.8.8.8:53 www.blockchain.com udp
GB 216.58.204.78:443 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 www.eset.com udp
US 8.8.8.8:53 www.youtube.com udp
US 152.199.21.175:443 www.eset.com tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 github.com udp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 98.29.16.104.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 47.166.228.91.in-addr.arpa udp
US 8.8.8.8:53 98.30.16.104.in-addr.arpa udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp

Files

memory/1580-0-0x00000163E0A20000-0x00000163E0A88000-memory.dmp

memory/1580-1-0x00007FFDB61E0000-0x00007FFDB6BCC000-memory.dmp

memory/1580-2-0x00000163FB050000-0x00000163FB060000-memory.dmp

memory/1580-6-0x00007FFDB61E0000-0x00007FFDB6BCC000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

MD5 a908a7c6e93edeb3e400780b6fe62dde
SHA1 36e2b437f41443f6b41b45b35a0f97b2cd94123d
SHA256 cae801b0499949178298c1c1a083f7c0febb971d262be9c9588437af66c76ef0
SHA512 deb437dcb1440d37bcd61dfa43be05fd01856a1d1e59aa5b2dfa142e9ae584b0577eea024edb99d8e74e3a1b606bb7ae3b4f9cd8eb30813e67dda678b9319cbe

memory/220-11-0x00007FFDB61E0000-0x00007FFDB6BCC000-memory.dmp

memory/220-12-0x0000014848CC0000-0x0000014848CD0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-10 02:41

Reported

2024-04-10 03:20

Platform

win10v2004-20240226-en

Max time kernel

593s

Max time network

598s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4500 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 4500 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 2432 wrote to memory of 4460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2432 wrote to memory of 4460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2432 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2432 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2432 wrote to memory of 4592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2432 wrote to memory of 4592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2432 wrote to memory of 4908 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2432 wrote to memory of 4908 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 4908 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\tar.exe
PID 4908 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\tar.exe
PID 4908 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4908 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4828 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4828 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1984 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1984 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3112 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3112 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 536 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 536 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1464 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 1464 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3344 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3344 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4592 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4592 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5092 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 5092 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4372 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 4372 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3732 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
PID 3732 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp52C3.tmp" -C "C:\Users\Admin\AppData\Local\xtioxntk7k"

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 104.16.30.98:80 blockchain.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.30.98:80 blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 98.30.16.104.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 98.29.16.104.in-addr.arpa udp
SK 91.228.166.47:80 eset.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 www.eset.com udp
US 152.199.21.175:443 www.eset.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 47.166.228.91.in-addr.arpa udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
US 152.199.21.175:443 www.eset.com tcp
NL 149.154.167.99:80 telegram.org tcp
SK 91.228.166.47:80 eset.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 github.com udp
NL 149.154.167.99:443 telegram.org tcp
GB 20.26.156.215:80 github.com tcp
US 152.199.21.175:443 www.eset.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
US 66.254.114.41:80 pornhub.com tcp
GB 20.26.156.215:80 github.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
DE 185.232.70.209:443 tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
N/A 127.0.0.1:64410 tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
FI 23.154.177.3:443 tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 66.254.114.41:80 pornhub.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 3.177.154.23.in-addr.arpa udp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 openai.com udp
US 13.107.213.64:80 openai.com tcp
US 8.8.8.8:53 transfer.sh udp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
DE 144.76.136.153:443 transfer.sh tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 13.107.213.64:443 openai.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
DE 46.4.78.3:4443 tcp
DE 128.0.64.148:9001 tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 64.213.107.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 8.8.8.8:53 3.78.4.46.in-addr.arpa udp
US 8.8.8.8:53 148.64.0.128.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
RU 83.137.50.106:8500 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
JP 139.162.97.121:8009 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 96.43.85.54:9002 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 github.com udp
NL 149.154.167.99:80 telegram.org tcp
GB 20.26.156.215:80 github.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 blockchain.com udp
US 104.16.29.98:80 blockchain.com tcp
US 104.16.29.98:80 blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
N/A 127.0.0.1:64535 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 66.254.114.41:80 pornhub.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
GB 216.58.204.78:80 www.youtube.com tcp
GB 142.250.200.14:80 google.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
US 104.16.29.98:80 blockchain.com tcp
US 104.16.29.98:80 blockchain.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
DE 144.76.136.153:443 transfer.sh tcp
GB 216.58.204.78:443 www.youtube.com tcp
N/A 127.0.0.1:64572 tcp
GB 142.250.178.14:443 www.youtube.com tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 66.254.114.41:80 pornhub.com tcp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 blockchain.com udp
GB 216.58.204.78:80 www.youtube.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
US 104.16.29.98:80 blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.29.98:80 blockchain.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
N/A 127.0.0.1:64598 tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 104.16.29.98:80 blockchain.com tcp
US 8.8.8.8:53 openai.com udp
US 13.107.246.64:80 openai.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 13.107.246.64:443 openai.com tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
GB 216.58.204.78:80 www.youtube.com tcp
DE 144.76.136.153:443 transfer.sh tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
NL 149.154.167.99:80 telegram.org tcp
US 8.8.8.8:53 github.com udp
GB 216.58.204.78:80 www.youtube.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
N/A 127.0.0.1:64620 tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.29.98:443 www.blockchain.com tcp
US 66.254.114.41:80 pornhub.com tcp
US 8.8.8.8:53 google.com udp
DE 144.76.136.153:443 transfer.sh tcp
GB 142.250.200.14:80 google.com tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 blockchain.com udp
NL 149.154.167.99:80 telegram.org tcp
GB 216.58.204.78:80 www.youtube.com tcp
GB 216.58.204.78:80 www.youtube.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 96.43.85.54:9002 tcp
US 104.16.30.98:80 blockchain.com tcp
US 8.8.8.8:53 youtube.com udp
NL 149.154.167.99:443 telegram.org tcp
N/A 127.0.0.1:64654 tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 104.16.30.98:80 blockchain.com tcp
N/A 127.0.0.1:64678 tcp
US 8.8.8.8:53 google.com udp
DE 144.76.136.153:443 transfer.sh tcp
GB 142.250.200.14:80 google.com tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 github.com udp
GB 142.250.200.14:80 google.com tcp
US 104.16.30.98:80 blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
US 104.16.30.98:80 blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 20.26.156.215:80 github.com tcp
N/A 127.0.0.1:64693 tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
DE 144.76.136.153:443 transfer.sh tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 github.com udp
GB 216.58.204.78:80 youtube.com tcp
NL 149.154.167.99:80 telegram.org tcp
GB 216.58.204.78:80 youtube.com tcp
US 8.8.8.8:53 blockchain.com udp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 104.16.30.98:80 blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
GB 20.26.156.215:443 github.com tcp
GB 216.58.204.78:443 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
N/A 127.0.0.1:64721 tcp
RU 83.137.50.106:8500 tcp
US 8.8.8.8:53 pornhub.com udp
JP 139.162.97.121:8009 tcp
US 66.254.114.41:80 pornhub.com tcp
US 96.43.85.54:9002 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
DE 144.76.136.153:443 transfer.sh tcp
N/A 127.0.0.1:64754 tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
US 96.43.85.54:9002 tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
DE 144.76.136.153:443 transfer.sh tcp
RU 83.137.50.106:8500 tcp
JP 139.162.97.121:8009 tcp
NL 149.154.167.99:80 telegram.org tcp
US 8.8.8.8:53 github.com udp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 8.8.8.8:53 youtube.com udp
NL 149.154.167.99:443 telegram.org tcp
N/A 127.0.0.1:64775 tcp
US 96.43.85.54:9002 tcp

Files

memory/4500-0-0x000001ADA33D0000-0x000001ADA3438000-memory.dmp

memory/4500-1-0x00007FF873F20000-0x00007FF8749E1000-memory.dmp

memory/4500-2-0x000001ADBD990000-0x000001ADBD9A0000-memory.dmp

memory/4500-6-0x00007FF873F20000-0x00007FF8749E1000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/4908-11-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/4908-12-0x0000023B35B20000-0x0000023B35B30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp52C3.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt

MD5 4951df203bd8717e1018448c8097215a
SHA1 0d7b0753238e335a98e385b904df8267393bf4de
SHA256 31933488b02ac705285a18fefd458ce59b92274aee20e8d98998434739c9646e
SHA512 b000924f02c50ab2f18167b877252f04b0099844aac4b9ade54ebe18e061c8a1248c5d35cb62cc9cc09436d94e4aab5cdb08e39b0a3677835c36970822b2f3b2

C:\Users\Admin\AppData\Local\xtioxntk7k\host\hostname

MD5 09c9b86472f9a91e944772e4f72261b1
SHA1 1f9aa64710e3de10e76322c4053a206df99e215d
SHA256 852d99db33fd5071e22b6b656905a7194219f7817473ea8df50c3bd0f76df026
SHA512 0857ea4afee32f27ed0b20fc4d6c6fde32f00d5bc72dc98fbcc4a8b70140e184997aa77b8c8ea1feabfa5316e6e83146d54165a295b41177f7e5152da7ce1579

C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdesc-consensus.tmp

MD5 a0db8a87f7b723266c8b04255da46b06
SHA1 4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf
SHA256 60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3
SHA512 41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-certs

MD5 7195712969b21a081d34607126113068
SHA1 737ce76b11bbaac1bfa6c41bfe18a88a4514e234
SHA256 2a81d8dc15beebe0beedee7564272004a0eee1522d8d14f3e42b1e7704a79d44
SHA512 66a12083120173f4791a1d5333c09a98fd6e5b98434523b856f7e2429395707000c1515b49252c199fe978ab5442743e0e38882aaeacaa24cea70d5c1384e2a0

C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdescs.new

MD5 48d10437efde97174bb6db0dd5485226
SHA1 75a5d29bcefd7b8cf8d75553963a2460407e1a51
SHA256 4bed2d018b8e4327b8d419016eb4c2f1adbcde58b4080bee6cab44ed443a5e37
SHA512 c9113a072b80e719c60a8eec4e0c1db6d25d8f4c04ed054e46eb2401d083575c84e826acfcc33e153ebe9f3f1aad1ae9c85e2389e3d3682c1057d8015aff7527

memory/4908-68-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/4908-73-0x0000023B35B20000-0x0000023B35B30000-memory.dmp

memory/4828-79-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/4828-80-0x000001C9C5480000-0x000001C9C5490000-memory.dmp

C:\Users\Admin\AppData\Local\xtioxntk7k\port.dat

MD5 30f48cd3c7e73511070b95ee0a884c23
SHA1 97d28a9f0da27d11b7fc74d21f7fa0f5f279f21e
SHA256 a2b6103a90e7178ea29afa2a5e4d0fd98a71e75ac5c0a98ca166327a8814a6fb
SHA512 b53add15fe32d2afab89291ac483df680d0f4c1deb0134ccebe6d05c755339ec7c95649b7034f64d23898f8eb7e4bf971e01c84969c2adde3543842f4a99ea74

memory/4828-83-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/1984-93-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/1984-94-0x000001A7E9ED0000-0x000001A7E9EE0000-memory.dmp

memory/1984-96-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/3112-102-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/3112-104-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/536-106-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/536-108-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/1464-118-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/1464-119-0x000002A4F0500000-0x000002A4F0510000-memory.dmp

memory/1464-121-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/3344-131-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/3344-132-0x00000197A26F0000-0x00000197A2700000-memory.dmp

memory/3344-134-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/4592-136-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/4592-138-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/5092-144-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/5092-145-0x000002481BA20000-0x000002481BA30000-memory.dmp

memory/5092-147-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/4372-161-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/4372-162-0x000001B09C9B0000-0x000001B09C9C0000-memory.dmp

memory/4372-164-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/3732-170-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

memory/3732-172-0x00007FF873500000-0x00007FF873FC1000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-10 02:41

Reported

2024-04-10 03:22

Platform

win11-20240221-en

Max time kernel

4s

Max time network

506s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 youtube.com udp
US 104.16.30.98:80 www.blockchain.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 104.16.30.98:80 www.blockchain.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp

Files

memory/2800-0-0x0000022AFFC40000-0x0000022AFFCA8000-memory.dmp

memory/2800-1-0x00007FFF05C30000-0x00007FFF066F2000-memory.dmp

memory/2800-2-0x0000022A802B0000-0x0000022A802C0000-memory.dmp

memory/2800-6-0x00007FFF05C30000-0x00007FFF066F2000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

MD5 486ebddc86ea8b3e965d390d22283a23
SHA1 eaffc047f067084867e8575c576a9ec60e094ba8
SHA256 50a57273ecb794e53b0622eb841341e2643c11f53fa47356e6e754ab2268171d
SHA512 0a50ba02250b38355a6f4fb94e40c61258a74031d9aea7cdf675f3e068f39ec0748ecf292aaf2f94b1963b9d66516ee79aa6c552617048e248774af0ff07189d

memory/2324-11-0x00007FFF05C30000-0x00007FFF066F2000-memory.dmp

memory/2324-12-0x0000025D35EB0000-0x0000025D35EC0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 02:41

Reported

2024-04-10 03:18

Platform

win7-20240215-en

Max time kernel

359s

Max time network

508s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\System32\cmd.exe
PID 3004 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3004 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3004 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3004 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3004 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3004 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3004 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3004 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3004 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3004 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 3004 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 3004 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2712 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 2712 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 2712 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 1652 wrote to memory of 2156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 1652 wrote to memory of 2156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 1652 wrote to memory of 2156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
PID 2156 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 2156 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe
PID 2156 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2712 -s 2832

C:\Windows\system32\taskeng.exe

taskeng.exe {FE04783E-5AE0-412C-9654-A93B1680CF6C} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2156 -s 4196

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 ip-api.com udp
SK 91.228.166.47:80 eset.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 104.16.30.98:80 blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:80 telegram.org tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.204.78:80 youtube.com tcp
GB 216.58.204.78:80 youtube.com tcp
US 66.254.114.41:80 pornhub.com tcp
US 104.16.30.98:80 blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
GB 216.58.204.78:443 youtube.com tcp
GB 216.58.204.78:443 youtube.com tcp
NL 149.154.167.99:443 telegram.org tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 8.8.8.8:53 www.eset.com udp
US 8.8.8.8:53 www.eset.com udp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
BE 104.117.77.121:443 www.eset.com tcp
BE 104.117.77.121:443 www.eset.com tcp
GB 20.26.156.215:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
NL 23.63.101.171:80 apps.identrust.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 104.16.29.98:443 www.blockchain.com tcp
US 66.254.114.41:80 pornhub.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 blockchain.com udp
DE 159.69.63.226:443 archive.torproject.org tcp
GB 216.58.204.78:80 www.youtube.com tcp
US 8.8.8.8:53 blockchain.com udp
GB 216.58.204.78:80 www.youtube.com tcp
NL 149.154.167.99:80 telegram.org tcp
GB 20.26.156.215:80 github.com tcp
NL 149.154.167.99:80 telegram.org tcp
GB 20.26.156.215:80 github.com tcp
US 66.254.114.41:80 pornhub.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 104.16.29.98:80 blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:80 github.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 blockchain.com tcp
GB 20.26.156.215:80 github.com tcp
US 104.16.30.98:443 blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 blockchain.com tcp
US 104.16.30.98:443 blockchain.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 blockchain.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 104.16.30.98:443 blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 blockchain.com tcp
US 104.16.30.98:443 blockchain.com tcp
GB 20.26.156.215:443 github.com tcp
US 104.16.30.98:443 blockchain.com tcp
US 104.16.30.98:443 blockchain.com tcp
US 104.16.30.98:443 blockchain.com tcp
US 66.254.114.41:80 pornhub.com tcp
US 104.16.30.98:443 blockchain.com tcp
US 104.16.30.98:443 blockchain.com tcp
US 104.16.30.98:443 blockchain.com tcp
US 104.16.30.98:443 blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 blockchain.com tcp
US 104.16.30.98:443 blockchain.com tcp
US 104.16.30.98:443 blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp

Files

memory/1660-0-0x00000000012B0000-0x0000000001318000-memory.dmp

memory/1660-1-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

memory/1660-2-0x000000001B2B0000-0x000000001B330000-memory.dmp

memory/1660-5-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

MD5 2299a17350433284e58bd0fcc10edf41
SHA1 d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256 c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512 123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

memory/2712-9-0x0000000000E90000-0x0000000000EF8000-memory.dmp

memory/2712-11-0x000000001B410000-0x000000001B490000-memory.dmp

memory/2712-10-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab258D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar25A0.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab2653.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2696.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 474d15ef1ce9ff7b0f2e2edccce0d9c3
SHA1 15a58c5bd5a93aaac32c509100abb5b2afb2bcb5
SHA256 40351c16a2b2e1f103b9148a9575193a500dc1734a618c23314be522e03f5605
SHA512 c71f89caa5372561d09f44ce60feae951c75f3c77b4c7a67f591f1612bbd3a85f3d3ccf59fe7829db989fbb5d6928962a5490c77f380213f4294d47275a6670c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdd066936f77256cca4f2220c120c1bf
SHA1 d5e28344ed4714f614f53c076e7570b8395d686f
SHA256 2d98d00b70ed11480f5b3a9fb457e223dc391e758b11902d22d4ac9f264453a8
SHA512 aeade020afdb5e11b5a1bc79733a26a5cd3e351388fd3d94b9ff4aed28a907648f55cb728d3efa8f0c3ddd836c8c7df80812f04692ff33f59da34c568bf514f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59f3606d6e11b353f9159ab9aa20dece
SHA1 17d42c1d28a8a7066a24737fa59715403ec52a18
SHA256 63fc0c47aadfd50f12adf017c26b8ab62be7c4a7d6b43fb4190ce06429229d1c
SHA512 e1e0b4e22d88518c9ec2ed6cbc452c70651d3947a36e24c764d104daafc7edd5ca40eed699f48e723690d99b8937ba3815a344fd7192e1b94d906e7971c5623b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c6f399f2631558b5a85839eaca081b4
SHA1 fdee82bed140d41591ae2dba400dad954465e2fc
SHA256 3ac2cbc4856cf779d28ef034c213f0f64c5dff1e7c1d7c8ade3bbb26dec66469
SHA512 c7af38a9beb592a84749d5eb3b364b04f236900db2c064e7240c0eb0cddaa8eca61d62a739906001f4c602795bd782aafad673cc72981ec89bab24acf26b2490

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc6a6662554b5cf314c4804454a7d982
SHA1 8d5ed4992807aa318ac2eb3d33e17a17c92e8cf3
SHA256 99ee1666719e3c8d51fa21cda958de3e1bf69c391a45512eb569139c114c57db
SHA512 224a0c21068711a38b64c315989fec9d4e6d442348e562212ad0fcad7b11a5af642e7a645d6d427b516f2ce4314dc6de91cc2216e93967de7d4b2a310b53f1f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 167e2381df8131fd70d5a81259cefc11
SHA1 8d7aced3101f745de495ad9fe80e134a9411c1c2
SHA256 1caffc8c73028b4414c73a72d566100dc2125e041b1e4acbda3fb879dc97913e
SHA512 d3e729f735b2143c2f68cd44795917de114fc8591d69b5c610c51e412203a5b5335d264972088e3665641b10112e12bc64a8aa75bfcb131923275d28b9feb189

memory/2712-423-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

memory/2712-424-0x000000001B410000-0x000000001B490000-memory.dmp

memory/2156-426-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

memory/2156-427-0x000000001B160000-0x000000001B1E0000-memory.dmp

C:\Users\Admin\AppData\Local\xtioxntk7k\port.dat

MD5 5ac8bb8a7d745102a978c5f8ccdb61b8
SHA1 36b0ec252468c979762fac40fca821531a7c8e44
SHA256 e6323c6f35f6487edd4e4cec846dca3ab03757bfe5ef5418136be0f2977ba22e
SHA512 7486a5f726753575826b63d1e3d198a8b241c631ccb4963ebaa7983ad8def1b8923a3a5072deab4bf8af7598479c81cbdbab40de63b16691659bd859045fa7f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d012c607c7fecafcb4432337ddf4412
SHA1 bd03fb4a9eddb6bb03630f2601561d382834d131
SHA256 efbab3161659e05e1fe1379dc759a61768d8cb7b43c33855507f3b4689cda801
SHA512 733bef3d11c3302a64e931c5d6dbd92b70a9b3770aace7460335365126896038e7f58df179f1bacfc66b96fbe1ac4c877a69952b4906ae7a1d05e62a426bf1f4

memory/2156-459-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

memory/2156-460-0x000000001B160000-0x000000001B1E0000-memory.dmp