Overview

overview

10

Static

static

3

UnblоckYT.exe

windows7-x64

1

UnblоckYT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 09:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UnblоckYT.exe

  • Size

    2.3MB

  • MD5

    d8d657ce3a75933e2857e47536fd6825

  • SHA1

    704108cc72bf51fe837cf7ddfeb518a6a8d12d0a

  • SHA256

    d0a6731abd7e60950d399983b0b1cf54a535be1c2f846b6b0836881db96a9c3e

  • SHA512

    af1f2e8b9e5958b1d9d21e31311e15deeda23daa56c41adc85b671f14aee76daeca55211242096e826c70f6662c28cb5ef89fbe90eaf42f11aa4f23fa721ed33

  • SSDEEP

    49152:7Djlabwz9heWF38XpWxKyNCNWakvy/+adWUKNwljT+Pb3Qz:3qwuWxOWxK6WWakvy35KEoi

Score
10/10
umbralxwormcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

connection-arizona.gl.at.ply.gg:65211

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 11 IoCs
    evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\UnblоckYT.exe
    "C:\Users\Admin\AppData\Local\Temp\UnblоckYT.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Users\Admin\AppData\Roaming\UnblоckYT .exe
      "C:\Users\Admin\AppData\Roaming\UnblоckYT .exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Users\Admin\AppData\Roaming\UnblockYT .exe
        "C:\Users\Admin\AppData\Roaming\UnblockYT .exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3812
        • C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe
          "C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2336
          • C:\Users\Admin\AppData\Roaming\YTunblock.exe
            "C:\Users\Admin\AppData\Roaming\YTunblock.exe"
            5⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2428
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\YTunblock.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4312
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YTunblock.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2448
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4864
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4480
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:3944
            • C:\Users\Admin\AppData\Local\Temp\zlqfmn.exe
              "C:\Users\Admin\AppData\Local\Temp\zlqfmn.exe"
              6⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1732
              • C:\Windows\SYSTEM32\attrib.exe
                "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\zlqfmn.exe"
                7⤵
                • Views/modifies file attributes
                PID:1544
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zlqfmn.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1196
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:432
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5032
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1280
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" os get Caption
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3500
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" computersystem get totalphysicalmemory
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4704
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" csproduct get uuid
                7⤵
                  PID:4228
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:552
                • C:\Windows\System32\Wbem\wmic.exe
                  "wmic" path win32_VideoController get name
                  7⤵
                  • Detects videocard installed
                  PID:5068
                • C:\Windows\SYSTEM32\cmd.exe
                  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\zlqfmn.exe" && pause
                  7⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3188
                  • C:\Windows\system32\PING.EXE
                    ping localhost
                    8⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:4748
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:3320
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4FB1.tmp.bat""
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4820
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 3
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Delays execution with timeout.exe
                  PID:3548
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ .bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4100
            • C:\Windows\system32\timeout.exe
              timeout /t 2 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2684
            • C:\Windows\system32\timeout.exe
              timeout /t 3 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:1100
            • C:\Windows\system32\timeout.exe
              timeout /t 2 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:4544
            • C:\Windows\system32\timeout.exe
              timeout /t 1 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:4620
            • C:\Windows\system32\timeout.exe
              timeout /t 1 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:3272
            • C:\Windows\system32\timeout.exe
              timeout /t 3 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:4460
            • C:\Windows\system32\timeout.exe
              timeout /t 3 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2996
            • C:\Windows\system32\timeout.exe
              timeout /t 1 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:4912
            • C:\Windows\system32\timeout.exe
              timeout /t 1 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:1876
            • C:\Windows\system32\timeout.exe
              timeout /t 2 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:3328
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3204
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4908

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Hide Artifacts

      1
      T1564

      Hidden Files and Directories

      1
      T1564.001

      Modify Registry

      1
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      3
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      5
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        d04eed981298045b29c2e3e15363d8ff

        SHA1

        b5b9378bf9f1b5868b702c94fe412536be09d7a4

        SHA256

        04d6f58d988dc01ab63dbf598f8952055b92e1beab3cbb922c7616ed51921575

        SHA512

        c4b25a86415d6b7c27993c26355e8ccea97d7dcd5b6bca43ac15a4877adb2d97da6c96d2134124167eb667acbbe168262c1fb2b88d650d2593933ffda6cb79dd

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        934bd1046552a63da2992f3eb8fd04d9

        SHA1

        123365b4c7240efba5bfea876e85db18393dc959

        SHA256

        503d240926999d894b6008c4c367e442f6172817b7a069120fced135d6662f39

        SHA512

        8e645dd31c6fb8d8b9da9218500ada2eaf22bba2ab4a5f3f4acb951e7c50150891473a141f3761506c4ee2a0fdb508c023ebbddfbf077361b386453762b8c36c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        c0d5391e780b3984e9956318b3702a7e

        SHA1

        2712ad949c3b67dbb7ed65c54165db1aa68f0b8a

        SHA256

        e65f783a9e1abc069cdc0b637a13798017fd3a9ab309c82dcc5eca80af549973

        SHA512

        6a5b4be8eeb8c0b8de8394972ff024f5b8bb32e3a6b33f437858eb05929673bbd071b31cc8a1aa3dd61586d60a1ef00bbb81320e99d89876b337c145e594e8ac

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        9a523515fe1ebce89896b07952b6e5bb

        SHA1

        a4166874a5e8a369a7d461eeaf197a3f2ae5e1b0

        SHA256

        4762f894b7034fb46f93b6b5171830c4aa2538702989c5c9a96062b1400201f2

        SHA512

        d35435eabf13e134465cbac9ab400c6dc74355dcbaa24cc3db22e90b45699fec313d4879f972cb3f34858d17222ef84cf9dfbb3de2051d31610b552d5cf75db3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        9b80cd7a712469a4c45fec564313d9eb

        SHA1

        6125c01bc10d204ca36ad1110afe714678655f2d

        SHA256

        5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

        SHA512

        ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        948B

        MD5

        7249f5c73fd4c203cc0b5d76b5d550e6

        SHA1

        c36c86b0fff962ea5f44d40116554a8e7754a5d4

        SHA256

        fd9b15f7b9f160af704090a1781a61943f27baab50a42c62ac7b6df9f415e17d

        SHA512

        71a99f4051daa50099f26212d22920d38bde6ab1ee0f4f5a2a7dee312c49bb885e193fff1d218cb4f0980277b7b62d9801bf8cd7d356e5870e942989c920f346

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        d3235ed022a42ec4338123ab87144afa

        SHA1

        5058608bc0deb720a585a2304a8f7cf63a50a315

        SHA256

        10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

        SHA512

        236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        288f76eb6350b99897bf8a40a26d7b88

        SHA1

        7f386d05202de2cf090bbda84d633a640730e090

        SHA256

        1b9a2714ecfaf4b2e7d7961d5f2537ea360ad0df46a0fa789255235b077075d1

        SHA512

        ffafc9d47140408afba98a9832433c0829ba696524c56d03f4ce67ae84d369c658d3a0b3cbfc62f8e5d83fc91f8f73fc1dd9a27f0deaefd1d07485a63face869

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbkkd3bp.nn2.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp4FB1.tmp.bat
        Filesize

        158B

        MD5

        71603fd6131d4fcd5698d17a90c43bc3

        SHA1

        e1888a9d092d497286628107880f668edbc856f3

        SHA256

        f311eb93adbba7da85a9c0749134be077ea687490cb12dd7b0a9ed9792919b06

        SHA512

        d3428bc26fce7af66955f783ee76462139a66d39cfa0e44d91b0be8b76d01d54948a32ab8a13324925f090a26313ccd33a1146ef3a3816ec8f80ea39b5fbf62c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zlqfmn.exe
        Filesize

        229KB

        MD5

        fed4a7197948ba327337b612254a673b

        SHA1

        2d1a9070dac7754ec592768654574fb933ec3730

        SHA256

        2f8e20e2e7712f7d896fe4fcbcb30161ef7abfc75b88584fc199c9203315efc7

        SHA512

        51bc82d032cee6689d62c98a5ce848297f8d55ecc03a4d506371db278abf418354294e9d5469d38be97fa41adb4d77932401dc0719eea33fb75c162fd0f32cff

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
        Filesize

        771B

        MD5

        194552b0a554d6267a5e323f21f7b4c3

        SHA1

        4b7bfe7d1e9a9945ac552b9b9fcaa7d0e663c7ed

        SHA256

        06e96a978a053516fe82ec36dc03a97336726ca5efb1237e04f7836131f5d96d

        SHA512

        72de6054fe120488e54845eed1b55ccb9e21c7d10b9f10c9f43fd48755920e38411e582bc6955e50261553e3c238f49089eebcf3a4801815ec61a2e57b06da10

        Download Submit

      • C:\Users\Admin\AppData\Roaming\UnblockYT .exe
        Filesize

        1.8MB

        MD5

        ddf02dfa6df9ee4e157d675e55a055c7

        SHA1

        d6fc1b85378c9ffae39dfaa0fc3a6876193ce933

        SHA256

        6ec4b872cd4c8aa6859574fb02187bda31fb71cbace5026c9e0d89e078b61730

        SHA512

        79b32c992e1adea1700fac6e87fe1dac0562fc6ff927f16b7464fa32793ff41cc9c1ad9caf323a87213f0cda7c32d29e155e1a5eed8f18d09819d13515b1a4a0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\UnblоckYT .exe
        Filesize

        2.0MB

        MD5

        9507d39a1268cc9bc49a89a5b6b1efde

        SHA1

        62919a92df361ec9f797066b8fd025d7e07c2795

        SHA256

        d815fcc722bee4f1025644dce314ce8c0b41d05491fd1e3c382a3b403564075f

        SHA512

        ffd75d68a7e8025c11922681b3214a8c96d70f7fd30f6eb7f6429e3865113f5406cc33ac76cd1580c03b64a52ff846c2c6e8d75968876ab7ac0625dd4873bbc0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\YTunblock.exe
        Filesize

        1.2MB

        MD5

        5c130e0ea8b936a34372663dd763f722

        SHA1

        cbb1efd33b28851682ae3f9699c79ffe705c780d

        SHA256

        262edf6e52c54494f19dd41c37307c6fb85bbd37820fb10df68a01f2f2fef644

        SHA512

        a4e7bc8a551507648651740ce87388929ab9c7c3c4997ba0c1fb15116a6e433e1660f11a65886b0ed7552264df74ce055a84fad4c96a057fb0b4c4c37b149f2e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe
        Filesize

        1.6MB

        MD5

        10aefe8560bf4e437d2f47bd469a59ff

        SHA1

        57c72df8758b6afcaa47d3dd9b46009b0d68f7e5

        SHA256

        56a5db69837d84f160c2ad3fd7c46ab658df9979d3ba34834a8b514e63626f11

        SHA512

        d8f6fd44f11b140c36bfa1d9d732f31d5bc308887fcce3605391ce30fa2fa360379d5c47e7ea2bb9ef5d7dea5b8f82bdd0d7e643a7d7d9de37b478ac7f43646d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ .bat
        Filesize

        1KB

        MD5

        5807f01368bda72ebd943e8755fa2e0c

        SHA1

        f42940149bf0e256b14343c87f750c6cdac8ae72

        SHA256

        9c7be36ede7526e5d10e8af969dbf8d2b242ab9c52c107e9f42200fb0ee2ce2a

        SHA512

        31612135b0981a500b8b09c72809da0e66e0633885270aeb26de02c26dbdbb4d8b27299349cc352558a3c9ec18eda6840e380ca99473fde3882cbbe3e02dc107

        Download Submit

      • memory/1196-199-0x000001EF13320000-0x000001EF13342000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1732-221-0x0000015434590000-0x00000154345E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1732-191-0x00000154327B0000-0x00000154327F0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1732-259-0x000001544CFB0000-0x000001544CFC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1732-277-0x000001544CFE0000-0x000001544D189000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1732-222-0x0000015434540000-0x000001543455E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1732-258-0x0000015434580000-0x000001543458A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1732-220-0x000001544CF10000-0x000001544CF86000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2428-178-0x00000000009C0000-0x0000000000D72000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2428-45-0x00000000009C0000-0x0000000000D72000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2428-46-0x0000000005FD0000-0x000000000606C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2428-176-0x00000000077C0000-0x00000000077CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2428-173-0x0000000007820000-0x00000000078B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2428-44-0x00000000009C0000-0x0000000000D72000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2428-172-0x0000000007A40000-0x0000000007FE4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2428-205-0x00000000077E0000-0x00000000077EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2428-47-0x0000000006070000-0x00000000060D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2428-283-0x00000000009C0000-0x0000000000D72000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/2448-113-0x000000006F8E0000-0x000000006F92C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2448-111-0x0000000005F30000-0x0000000006284000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3204-68-0x00000216165C0000-0x00000216165C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3204-63-0x00000216165C0000-0x00000216165C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3204-52-0x00000216165C0000-0x00000216165C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3204-54-0x00000216165C0000-0x00000216165C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3204-53-0x00000216165C0000-0x00000216165C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3204-69-0x00000216165C0000-0x00000216165C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3204-67-0x00000216165C0000-0x00000216165C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3204-66-0x00000216165C0000-0x00000216165C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3204-65-0x00000216165C0000-0x00000216165C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3204-64-0x00000216165C0000-0x00000216165C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4312-76-0x0000000006700000-0x000000000674C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4312-93-0x0000000007C90000-0x0000000007D26000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4312-90-0x0000000008050000-0x00000000086CA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4312-89-0x00000000078D0000-0x0000000007973000-memory.dmp

        Filesize

        652KB

        Download

      • memory/4312-88-0x0000000006CC0000-0x0000000006CDE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4312-77-0x0000000007690000-0x00000000076C2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4312-78-0x000000006F8E0000-0x000000006F92C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4312-98-0x0000000007D30000-0x0000000007D38000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4312-75-0x00000000066E0000-0x00000000066FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4312-92-0x0000000007A80000-0x0000000007A8A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4312-48-0x0000000005140000-0x0000000005176000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4312-91-0x0000000007A10000-0x0000000007A2A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4312-49-0x0000000005800000-0x0000000005E28000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4312-74-0x00000000060F0000-0x0000000006444000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4312-94-0x0000000007C10000-0x0000000007C21000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4312-50-0x0000000005610000-0x0000000005632000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4312-95-0x0000000007C40000-0x0000000007C4E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4312-96-0x0000000007C50000-0x0000000007C64000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4312-97-0x0000000007D50000-0x0000000007D6A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4312-51-0x0000000005EA0000-0x0000000005F06000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4480-157-0x000000006F8E0000-0x000000006F92C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4864-125-0x00000000061D0000-0x0000000006524000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4864-136-0x000000006F8E0000-0x000000006F92C000-memory.dmp

        Filesize

        304KB

        Download