arkei | 20e5765385bc92922a64f7454367d98a77693adfd62bcb4a44703705ddffbdb0

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-en-20211014
submitted
21-10-2021 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e86f7dfe3f2f795ef1995bd9d6efdea.exe
Size

390KB
MD5

2e86f7dfe3f2f795ef1995bd9d6efdea
SHA1

a2c279c2c2ffd37bd6ee59eadfe037d7e3524c1e
SHA256

20e5765385bc92922a64f7454367d98a77693adfd62bcb4a44703705ddffbdb0
SHA512

1c3aca6e80ddd3353c0fcb62895c81b3e398a44d40539dba37768e11ca6eb0cb7657d4a1b4d3878a3e0317153a2629288f34e34d15f2b6eaea26aebd704b18d0

Score

10^/10

arkei cryptbot fickerstealer default discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

fickerstealer

game2030.site:80

Extracted

Family

arkei

Botnet

Default

http://gurums.online/ggate.php

Extracted

Family

cryptbot

veoalm42.top

moruhx04.top

Attributes

payload_url
http://tynjua14.top/download.php?file=lv.exe

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Arkei Stealer Payload 7 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1634847015094.exe	family_arkei
C:\Users\Admin\AppData\Local\Temp\1634847015094.exe	family_arkei
\Users\Admin\AppData\Local\Temp\1634847015094.exe	family_arkei
\Users\Admin\AppData\Local\Temp\1634847015094.exe	family_arkei
\Users\Admin\AppData\Local\Temp\1634847015094.exe	family_arkei
C:\Users\Admin\AppData\Local\Temp\1634847015094.exe	family_arkei
\Users\Admin\AppData\Local\Temp\1634847015094.exe	family_arkei

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

50105800800.exe50105800800.exe1634847014970.exe1634847015094.exe54492346307.exe41851525211.exehvytube.exeGarbage Cleaner.exeGarbage Cleaner.exe

pid	process
1844	50105800800.exe
608	50105800800.exe
1712	1634847014970.exe
1760	1634847015094.exe
1600	54492346307.exe
1140	41851525211.exe
108	hvytube.exe
928	Garbage Cleaner.exe
1872	Garbage Cleaner.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

936 cmd.exe

pid	process
936	cmd.exe

Loads dropped DLL 17 IoCs

Processes:

cmd.exe50105800800.exe50105800800.execmd.exeWerFault.execmd.exe1634847014970.execmd.exe2e86f7dfe3f2f795ef1995bd9d6efdea.exeGarbage Cleaner.exe

pid	process
1048	cmd.exe
1048	cmd.exe
1844	50105800800.exe
608	50105800800.exe
608	50105800800.exe
608	50105800800.exe
1960	cmd.exe
1616	WerFault.exe
1616	WerFault.exe
1508	cmd.exe
1508	cmd.exe
1616	WerFault.exe
1712	1634847014970.exe
1968	cmd.exe
1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe
1872	Garbage Cleaner.exe
1872	Garbage Cleaner.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1634847014970.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVYtube = "C:\\Users\\Admin\\AppData\\Roaming\\HVYtube\\hvytube.exe"	1634847014970.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.ipify.org

flow	ioc
10	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

50105800800.exeGarbage Cleaner.exe

description	pid	process	target process
PID 1844 set thread context of 608	1844	50105800800.exe	50105800800.exe
PID 928 set thread context of 1872	928	Garbage Cleaner.exe	Garbage Cleaner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1616 1760 WerFault.exe 1634847015094.exe

pid	pid_target	process	target process
1616	1760	WerFault.exe	1634847015094.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

50105800800.exe41851525211.exe54492346307.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	50105800800.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	50105800800.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	41851525211.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	41851525211.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	54492346307.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	54492346307.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

380 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1812 taskkill.exe

pid	process
380	timeout.exe

pid	process
1812	taskkill.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

54492346307.exehvytube.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	54492346307.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	54492346307.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	hvytube.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	hvytube.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	54492346307.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	54492346307.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	hvytube.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	hvytube.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	hvytube.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	hvytube.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

50105800800.exeWerFault.exe

pid process

608 50105800800.exe
1616 WerFault.exe
1616 WerFault.exe
1616 WerFault.exe
1616 WerFault.exe
1616 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1616 WerFault.exe

pid	process
608	50105800800.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe

pid	process
1616	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

WerFault.exetaskkill.exehvytube.exeGarbage Cleaner.exeGarbage Cleaner.exe

description	pid	process
Token: SeDebugPrivilege	1616	WerFault.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	108	hvytube.exe
Token: SeDebugPrivilege	928	Garbage Cleaner.exe
Token: SeDebugPrivilege	1872	Garbage Cleaner.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2e86f7dfe3f2f795ef1995bd9d6efdea.execmd.exe50105800800.exe50105800800.execmd.exe1634847015094.execmd.exe1634847014970.exe41851525211.exe

description	pid	process	target process
PID 1660 wrote to memory of 1048	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1660 wrote to memory of 1048	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1660 wrote to memory of 1048	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1660 wrote to memory of 1048	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1048 wrote to memory of 1844	1048	cmd.exe	50105800800.exe
PID 1048 wrote to memory of 1844	1048	cmd.exe	50105800800.exe
PID 1048 wrote to memory of 1844	1048	cmd.exe	50105800800.exe
PID 1048 wrote to memory of 1844	1048	cmd.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 1844 wrote to memory of 608	1844	50105800800.exe	50105800800.exe
PID 608 wrote to memory of 1712	608	50105800800.exe	1634847014970.exe
PID 608 wrote to memory of 1712	608	50105800800.exe	1634847014970.exe
PID 608 wrote to memory of 1712	608	50105800800.exe	1634847014970.exe
PID 608 wrote to memory of 1712	608	50105800800.exe	1634847014970.exe
PID 608 wrote to memory of 1760	608	50105800800.exe	1634847015094.exe
PID 608 wrote to memory of 1760	608	50105800800.exe	1634847015094.exe
PID 608 wrote to memory of 1760	608	50105800800.exe	1634847015094.exe
PID 608 wrote to memory of 1760	608	50105800800.exe	1634847015094.exe
PID 1660 wrote to memory of 1960	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1660 wrote to memory of 1960	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1660 wrote to memory of 1960	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1660 wrote to memory of 1960	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1960 wrote to memory of 1600	1960	cmd.exe	54492346307.exe
PID 1960 wrote to memory of 1600	1960	cmd.exe	54492346307.exe
PID 1960 wrote to memory of 1600	1960	cmd.exe	54492346307.exe
PID 1960 wrote to memory of 1600	1960	cmd.exe	54492346307.exe
PID 1760 wrote to memory of 1616	1760	1634847015094.exe	WerFault.exe
PID 1760 wrote to memory of 1616	1760	1634847015094.exe	WerFault.exe
PID 1760 wrote to memory of 1616	1760	1634847015094.exe	WerFault.exe
PID 1760 wrote to memory of 1616	1760	1634847015094.exe	WerFault.exe
PID 1660 wrote to memory of 1508	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1660 wrote to memory of 1508	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1660 wrote to memory of 1508	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1660 wrote to memory of 1508	1660	2e86f7dfe3f2f795ef1995bd9d6efdea.exe	cmd.exe
PID 1508 wrote to memory of 1140	1508	cmd.exe	41851525211.exe
PID 1508 wrote to memory of 1140	1508	cmd.exe	41851525211.exe
PID 1508 wrote to memory of 1140	1508	cmd.exe	41851525211.exe
PID 1508 wrote to memory of 1140	1508	cmd.exe	41851525211.exe
PID 1712 wrote to memory of 108	1712	1634847014970.exe	hvytube.exe
PID 1712 wrote to memory of 108	1712	1634847014970.exe	hvytube.exe
PID 1712 wrote to memory of 108	1712	1634847014970.exe	hvytube.exe
PID 1712 wrote to memory of 108	1712	1634847014970.exe	hvytube.exe
PID 1140 wrote to memory of 544	1140	41851525211.exe	cmd.exe
PID 1140 wrote to memory of 544	1140	41851525211.exe	cmd.exe
PID 1140 wrote to memory of 544	1140	41851525211.exe	cmd.exe
PID 1140 wrote to memory of 544	1140	41851525211.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2e86f7dfe3f2f795ef1995bd9d6efdea.exe
"C:\Users\Admin\AppData\Local\Temp\2e86f7dfe3f2f795ef1995bd9d6efdea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\50105800800.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\50105800800.exe
"C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\50105800800.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\50105800800.exe
"C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\50105800800.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:608

C:\Users\Admin\AppData\Local\Temp\1634847014970.exe
"C:\Users\Admin\AppData\Local\Temp\1634847014970.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe
"C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Users\Admin\AppData\Local\Temp\1634847015094.exe
"C:\Users\Admin\AppData\Local\Temp\1634847015094.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 760
6⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\54492346307.exe" /mix
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\54492346307.exe
"C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\54492346307.exe" /mix
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
PID:1600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\41851525211.exe" /mix
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\41851525211.exe
"C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\41851525211.exe" /mix
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\EPvlkNBg & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\41851525211.exe"
4⤵
PID:544

C:\Windows\SysWOW64\timeout.exe
timeout 4
5⤵
- Delays execution with timeout.exe
PID:380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
2⤵
- Loads dropped DLL
PID:1968

C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
4⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "2e86f7dfe3f2f795ef1995bd9d6efdea.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2e86f7dfe3f2f795ef1995bd9d6efdea.exe" & exit
2⤵
- Deletes itself
PID:936

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "2e86f7dfe3f2f795ef1995bd9d6efdea.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Garbage Cleaner\Bunifu_UI_v1.5.3.dll
MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
MD5
0c517e5d1c375969dbd64a2c8534acbd

SHA1
f52c28f7a648146776f6ab85331dc61241be574a

SHA256
4ff53d69adcdca685d012c7c15a04ead56cd271ee5a63772a2049372598708ce

SHA512
105cf0d0d3e9da67321c7e88bdfd8ca3cbebf65dad49f7e0d800f13a8574ddc51ade04646f498589c77d214881db239d2fb19c7380eb52418c60565250be2b72

Download Submit
C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
MD5
0c517e5d1c375969dbd64a2c8534acbd

SHA1
f52c28f7a648146776f6ab85331dc61241be574a

SHA256
4ff53d69adcdca685d012c7c15a04ead56cd271ee5a63772a2049372598708ce

SHA512
105cf0d0d3e9da67321c7e88bdfd8ca3cbebf65dad49f7e0d800f13a8574ddc51ade04646f498589c77d214881db239d2fb19c7380eb52418c60565250be2b72

Download Submit
C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
MD5
0c517e5d1c375969dbd64a2c8534acbd

SHA1
f52c28f7a648146776f6ab85331dc61241be574a

SHA256
4ff53d69adcdca685d012c7c15a04ead56cd271ee5a63772a2049372598708ce

SHA512
105cf0d0d3e9da67321c7e88bdfd8ca3cbebf65dad49f7e0d800f13a8574ddc51ade04646f498589c77d214881db239d2fb19c7380eb52418c60565250be2b72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
90ac7fa6113d25dbc2f17962ff7bd82c

SHA1
33827242e2d314c516da1256ee125aecc1540f32

SHA256
46fc5c7f00a8ad4e7d86b5f7abf908bb6105d5c7656e70de6ef83a83ceb6b281

SHA512
ed77ffa4c00216605f113715f0bce72ebd2b3bc2176374d9c7e2718e4eafeb4a0ce954b587b42e19f754fef7c60356e68334d7bb70eae296fb66079759069e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1634847014970.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
C:\Users\Admin\AppData\Local\Temp\1634847014970.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
C:\Users\Admin\AppData\Local\Temp\1634847015094.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
C:\Users\Admin\AppData\Local\Temp\1634847015094.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\41851525211.exe
MD5
f2abae5000fe712654372a7adb2321f4

SHA1
44f3e6c1483732aa4353afefc2e07eb7f5542a06

SHA256
bbe067edf24c7ed3076281646e84e3c3d3643205189076e3e2f023a0a7830cc5

SHA512
ad943733ddf2e6077597b614cdd045e8ed6e82010808342d53e2108ccdf5c92b7541f24700f4829cfdef84efc54c6d4735185e895810c7db7a6c3f073f3d59de

Download Submit
C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\41851525211.exe
MD5
f2abae5000fe712654372a7adb2321f4

SHA1
44f3e6c1483732aa4353afefc2e07eb7f5542a06

SHA256
bbe067edf24c7ed3076281646e84e3c3d3643205189076e3e2f023a0a7830cc5

SHA512
ad943733ddf2e6077597b614cdd045e8ed6e82010808342d53e2108ccdf5c92b7541f24700f4829cfdef84efc54c6d4735185e895810c7db7a6c3f073f3d59de

Download Submit
C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\50105800800.exe
MD5
52241b7a6707a79755e1386a26bce09c

SHA1
bd2f102d6f10cde689835418f213db6b0713c2cd

SHA256
0e01d2215e00c2a03a93b72a13476c588fbd383d4367e3d85265969e65dff388

SHA512
b4f781a8344d9db9ba3ee6d54c9a2c614a3b0699c05f527b1cfd22775613c8f902eb95553b7f3a56b8a1b5b6b7715b0491159d8bcc9dc712129512551d65ea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\50105800800.exe
MD5
52241b7a6707a79755e1386a26bce09c

SHA1
bd2f102d6f10cde689835418f213db6b0713c2cd

SHA256
0e01d2215e00c2a03a93b72a13476c588fbd383d4367e3d85265969e65dff388

SHA512
b4f781a8344d9db9ba3ee6d54c9a2c614a3b0699c05f527b1cfd22775613c8f902eb95553b7f3a56b8a1b5b6b7715b0491159d8bcc9dc712129512551d65ea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\50105800800.exe
MD5
52241b7a6707a79755e1386a26bce09c

SHA1
bd2f102d6f10cde689835418f213db6b0713c2cd

SHA256
0e01d2215e00c2a03a93b72a13476c588fbd383d4367e3d85265969e65dff388

SHA512
b4f781a8344d9db9ba3ee6d54c9a2c614a3b0699c05f527b1cfd22775613c8f902eb95553b7f3a56b8a1b5b6b7715b0491159d8bcc9dc712129512551d65ea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\54492346307.exe
MD5
4eae45e4d76ddf2dd7c7fe4f02ebcaba

SHA1
07d5b2cf6c6ca2f5ccf6041688f8fb5fef95794a

SHA256
e1c6b21ccacb5a29e7b82ca5060872e4d67900edebc2f8704f39040bccffbbbf

SHA512
36b222485600798ec55223adf8854794ff84cba43a0c4ec0952f16f63b41f502f98f82207b6b8b781d668631751f0f30f47fd3a155b3921c089235959e0ecc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\54492346307.exe
MD5
4eae45e4d76ddf2dd7c7fe4f02ebcaba

SHA1
07d5b2cf6c6ca2f5ccf6041688f8fb5fef95794a

SHA256
e1c6b21ccacb5a29e7b82ca5060872e4d67900edebc2f8704f39040bccffbbbf

SHA512
36b222485600798ec55223adf8854794ff84cba43a0c4ec0952f16f63b41f502f98f82207b6b8b781d668631751f0f30f47fd3a155b3921c089235959e0ecc3d

Download Submit
C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
\ProgramData\Garbage Cleaner\Bunifu_UI_v1.5.3.dll
MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
\ProgramData\Garbage Cleaner\Bunifu_UI_v1.5.3.dll
MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
MD5
0c517e5d1c375969dbd64a2c8534acbd

SHA1
f52c28f7a648146776f6ab85331dc61241be574a

SHA256
4ff53d69adcdca685d012c7c15a04ead56cd271ee5a63772a2049372598708ce

SHA512
105cf0d0d3e9da67321c7e88bdfd8ca3cbebf65dad49f7e0d800f13a8574ddc51ade04646f498589c77d214881db239d2fb19c7380eb52418c60565250be2b72

Download Submit
\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
MD5
0c517e5d1c375969dbd64a2c8534acbd

SHA1
f52c28f7a648146776f6ab85331dc61241be574a

SHA256
4ff53d69adcdca685d012c7c15a04ead56cd271ee5a63772a2049372598708ce

SHA512
105cf0d0d3e9da67321c7e88bdfd8ca3cbebf65dad49f7e0d800f13a8574ddc51ade04646f498589c77d214881db239d2fb19c7380eb52418c60565250be2b72

Download Submit
\Users\Admin\AppData\Local\Temp\1634847014970.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
\Users\Admin\AppData\Local\Temp\1634847015094.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
\Users\Admin\AppData\Local\Temp\1634847015094.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
\Users\Admin\AppData\Local\Temp\1634847015094.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
\Users\Admin\AppData\Local\Temp\1634847015094.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
\Users\Admin\AppData\Local\Temp\1634847015094.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\41851525211.exe
MD5
f2abae5000fe712654372a7adb2321f4

SHA1
44f3e6c1483732aa4353afefc2e07eb7f5542a06

SHA256
bbe067edf24c7ed3076281646e84e3c3d3643205189076e3e2f023a0a7830cc5

SHA512
ad943733ddf2e6077597b614cdd045e8ed6e82010808342d53e2108ccdf5c92b7541f24700f4829cfdef84efc54c6d4735185e895810c7db7a6c3f073f3d59de

Download Submit
\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\41851525211.exe
MD5
f2abae5000fe712654372a7adb2321f4

SHA1
44f3e6c1483732aa4353afefc2e07eb7f5542a06

SHA256
bbe067edf24c7ed3076281646e84e3c3d3643205189076e3e2f023a0a7830cc5

SHA512
ad943733ddf2e6077597b614cdd045e8ed6e82010808342d53e2108ccdf5c92b7541f24700f4829cfdef84efc54c6d4735185e895810c7db7a6c3f073f3d59de

Download Submit
\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\50105800800.exe
MD5
52241b7a6707a79755e1386a26bce09c

SHA1
bd2f102d6f10cde689835418f213db6b0713c2cd

SHA256
0e01d2215e00c2a03a93b72a13476c588fbd383d4367e3d85265969e65dff388

SHA512
b4f781a8344d9db9ba3ee6d54c9a2c614a3b0699c05f527b1cfd22775613c8f902eb95553b7f3a56b8a1b5b6b7715b0491159d8bcc9dc712129512551d65ea05

Download Submit
\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\50105800800.exe
MD5
52241b7a6707a79755e1386a26bce09c

SHA1
bd2f102d6f10cde689835418f213db6b0713c2cd

SHA256
0e01d2215e00c2a03a93b72a13476c588fbd383d4367e3d85265969e65dff388

SHA512
b4f781a8344d9db9ba3ee6d54c9a2c614a3b0699c05f527b1cfd22775613c8f902eb95553b7f3a56b8a1b5b6b7715b0491159d8bcc9dc712129512551d65ea05

Download Submit
\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\50105800800.exe
MD5
52241b7a6707a79755e1386a26bce09c

SHA1
bd2f102d6f10cde689835418f213db6b0713c2cd

SHA256
0e01d2215e00c2a03a93b72a13476c588fbd383d4367e3d85265969e65dff388

SHA512
b4f781a8344d9db9ba3ee6d54c9a2c614a3b0699c05f527b1cfd22775613c8f902eb95553b7f3a56b8a1b5b6b7715b0491159d8bcc9dc712129512551d65ea05

Download Submit
\Users\Admin\AppData\Local\Temp\{O3bH-C0lHx-NpTV-Bu5Wi}\54492346307.exe
MD5
4eae45e4d76ddf2dd7c7fe4f02ebcaba

SHA1
07d5b2cf6c6ca2f5ccf6041688f8fb5fef95794a

SHA256
e1c6b21ccacb5a29e7b82ca5060872e4d67900edebc2f8704f39040bccffbbbf

SHA512
36b222485600798ec55223adf8854794ff84cba43a0c4ec0952f16f63b41f502f98f82207b6b8b781d668631751f0f30f47fd3a155b3921c089235959e0ecc3d

Download Submit
\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
memory/108-132-0x0000000005710000-0x00000000057E7000-memory.dmp

Filesize
860KB

Download
memory/108-133-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/108-154-0x0000000005F90000-0x0000000006030000-memory.dmp

Filesize
640KB

Download
memory/108-153-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/108-152-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/108-151-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/108-150-0x0000000005F00000-0x0000000005F8F000-memory.dmp

Filesize
572KB

Download
memory/108-149-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/108-148-0x00000000005A0000-0x00000000005A5000-memory.dmp

Filesize
20KB

Download
memory/108-147-0x0000000004CD0000-0x0000000004D8A000-memory.dmp

Filesize
744KB

Download
memory/108-112-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/108-108-0x0000000000000000-mapping.dmp

Download
memory/108-131-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/380-117-0x0000000000000000-mapping.dmp

Download
memory/544-116-0x0000000000000000-mapping.dmp

Download
memory/608-68-0x0000000000401480-mapping.dmp

Download
memory/608-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/608-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/928-130-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/928-134-0x0000000001FC0000-0x0000000001FDC000-memory.dmp

Filesize
112KB

Download
memory/928-124-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/928-121-0x0000000000000000-mapping.dmp

Download
memory/936-125-0x0000000000000000-mapping.dmp

Download
memory/1048-59-0x0000000000000000-mapping.dmp

Download
memory/1140-106-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/1140-98-0x0000000000000000-mapping.dmp

Download
memory/1140-105-0x00000000002F0000-0x0000000000335000-memory.dmp

Filesize
276KB

Download
memory/1140-104-0x00000000002C0000-0x00000000002E5000-memory.dmp

Filesize
148KB

Download
memory/1508-94-0x0000000000000000-mapping.dmp

Download
memory/1600-115-0x0000000000400000-0x0000000002F65000-memory.dmp

Filesize
43.4MB

Download
memory/1600-87-0x0000000000000000-mapping.dmp

Download
memory/1600-89-0x000000000311D000-0x0000000003189000-memory.dmp

Filesize
432KB

Download
memory/1600-114-0x0000000000230000-0x00000000002FF000-memory.dmp

Filesize
828KB

Download
memory/1616-102-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/1616-90-0x0000000000000000-mapping.dmp

Download
memory/1660-55-0x000000000028D000-0x00000000002B6000-memory.dmp

Filesize
164KB

Download
memory/1660-58-0x0000000000400000-0x00000000016D5000-memory.dmp

Filesize
18.8MB

Download
memory/1660-56-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download
memory/1660-57-0x0000000001710000-0x0000000001759000-memory.dmp

Filesize
292KB

Download
memory/1712-74-0x0000000000000000-mapping.dmp

Download
memory/1712-82-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1760-78-0x0000000000000000-mapping.dmp

Download
memory/1812-128-0x0000000000000000-mapping.dmp

Download
memory/1844-70-0x00000000001B0000-0x00000000001F7000-memory.dmp

Filesize
284KB

Download
memory/1844-63-0x0000000000000000-mapping.dmp

Download
memory/1844-65-0x00000000002ED000-0x0000000000315000-memory.dmp

Filesize
160KB

Download
memory/1872-146-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1872-136-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1872-137-0x00000000004607D2-mapping.dmp

Download
memory/1872-144-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/1872-139-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1872-155-0x0000000004855000-0x0000000004866000-memory.dmp

Filesize
68KB

Download
memory/1960-84-0x0000000000000000-mapping.dmp

Download
memory/1968-118-0x0000000000000000-mapping.dmp

Download