umbral | d0a6731abd7e60950d399983b0b1cf54a535be1c2f846b6b0836881db96a9c3e

Analysis

max time kernel
298s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UnblоckYT.exe
Size

2.3MB
MD5

d8d657ce3a75933e2857e47536fd6825
SHA1

704108cc72bf51fe837cf7ddfeb518a6a8d12d0a
SHA256

d0a6731abd7e60950d399983b0b1cf54a535be1c2f846b6b0836881db96a9c3e
SHA512

af1f2e8b9e5958b1d9d21e31311e15deeda23daa56c41adc85b671f14aee76daeca55211242096e826c70f6662c28cb5ef89fbe90eaf42f11aa4f23fa721ed33
SSDEEP

49152:7Djlabwz9heWF38XpWxKyNCNWakvy/+adWUKNwljT+Pb3Qz:3qwuWxOWxK6WWakvy35KEoi

Score

10^/10

umbral xworm credential_access discovery evasion execution persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

connection-arizona.gl.at.ply.gg:65211

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/636-446-0x0000000000620000-0x000000000062E000-memory.dmp	disable_win_def

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000233c5-292.dat	family_umbral
behavioral2/memory/2404-300-0x000001B126910000-0x000001B126950000-memory.dmp	family_umbral

Detect Xworm Payload 13 IoCs

resource	yara_rule
behavioral2/memory/636-45-0x0000000000640000-0x00000000009F2000-memory.dmp	family_xworm
behavioral2/memory/3232-266-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm
behavioral2/memory/3232-267-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm
behavioral2/memory/3232-270-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm
behavioral2/memory/3736-387-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm
behavioral2/memory/3736-389-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm
behavioral2/memory/400-399-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm
behavioral2/memory/400-400-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm
behavioral2/memory/400-402-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm
behavioral2/memory/1096-423-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm
behavioral2/memory/1096-424-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm
behavioral2/memory/1096-425-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm
behavioral2/memory/1096-441-0x0000000000C30000-0x0000000000FE2000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2008	powershell.exe
2640	powershell.exe
3140	powershell.exe
1628	powershell.exe
1388	powershell.exe
4580	powershell.exe
1976	powershell.exe
1160	powershell.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	mowojh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002365c-483.dat	acprotect

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	UnblockYT .exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	YTunblock.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	YTunblock.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	iersmy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	UnblоckYT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	UnblоckYT .exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	YTunblock.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	YTunblock.exe

Executes dropped EXE 11 IoCs

pid	Process
4536	UnblоckYT .exe
416	UnblockYT .exe
1396	YTunblock.sfx.exe
636	YTunblock.exe
3232	svchost.exe
2404	mowojh.exe
3736	svchost.exe
400	svchost.exe
1096	svchost.exe
5116	iersmy.exe
4024	winlocker.exe

Loads dropped DLL 5 IoCs

pid	Process
4024	winlocker.exe
4024	winlocker.exe
4024	winlocker.exe
4024	winlocker.exe
4024	winlocker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000002364b-466.dat	upx
behavioral2/memory/4024-474-0x0000000000400000-0x0000000000AAB000-memory.dmp	upx
behavioral2/files/0x000800000002365c-483.dat	upx
behavioral2/memory/4024-486-0x0000000004390000-0x0000000004412000-memory.dmp	upx
behavioral2/memory/4024-489-0x0000000000400000-0x0000000000AAB000-memory.dmp	upx
behavioral2/memory/4024-493-0x0000000004390000-0x0000000004412000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	YTunblock.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
82	discord.com
83	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com
76	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs

pid	Process
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
3232	svchost.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
3736	svchost.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
400	svchost.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
1096	svchost.exe
636	YTunblock.exe
1096	svchost.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iersmy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YTunblock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1056	cmd.exe
972	PING.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Delays execution with timeout.exe 10 IoCs

evasion

pid	Process
4128	timeout.exe
3232	timeout.exe
2268	timeout.exe
2540	timeout.exe
2684	timeout.exe
2756	timeout.exe
1968	timeout.exe
3500	timeout.exe
5072	timeout.exe
4128	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1360	wmic.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2252	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
972	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe
2640	powershell.exe
2640	powershell.exe
2640	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
636	YTunblock.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	636	YTunblock.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	636	YTunblock.exe
Token: SeDebugPrivilege	3232	svchost.exe
Token: SeDebugPrivilege	2404	mowojh.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeIncreaseQuotaPrivilege	2132	wmic.exe
Token: SeSecurityPrivilege	2132	wmic.exe
Token: SeTakeOwnershipPrivilege	2132	wmic.exe
Token: SeLoadDriverPrivilege	2132	wmic.exe
Token: SeSystemProfilePrivilege	2132	wmic.exe
Token: SeSystemtimePrivilege	2132	wmic.exe
Token: SeProfSingleProcessPrivilege	2132	wmic.exe
Token: SeIncBasePriorityPrivilege	2132	wmic.exe
Token: SeCreatePagefilePrivilege	2132	wmic.exe
Token: SeBackupPrivilege	2132	wmic.exe
Token: SeRestorePrivilege	2132	wmic.exe
Token: SeShutdownPrivilege	2132	wmic.exe
Token: SeDebugPrivilege	2132	wmic.exe
Token: SeSystemEnvironmentPrivilege	2132	wmic.exe
Token: SeRemoteShutdownPrivilege	2132	wmic.exe
Token: SeUndockPrivilege	2132	wmic.exe
Token: SeManageVolumePrivilege	2132	wmic.exe
Token: 33	2132	wmic.exe
Token: 34	2132	wmic.exe
Token: 35	2132	wmic.exe
Token: 36	2132	wmic.exe
Token: SeIncreaseQuotaPrivilege	2132	wmic.exe
Token: SeSecurityPrivilege	2132	wmic.exe
Token: SeTakeOwnershipPrivilege	2132	wmic.exe
Token: SeLoadDriverPrivilege	2132	wmic.exe
Token: SeSystemProfilePrivilege	2132	wmic.exe
Token: SeSystemtimePrivilege	2132	wmic.exe
Token: SeProfSingleProcessPrivilege	2132	wmic.exe
Token: SeIncBasePriorityPrivilege	2132	wmic.exe
Token: SeCreatePagefilePrivilege	2132	wmic.exe
Token: SeBackupPrivilege	2132	wmic.exe
Token: SeRestorePrivilege	2132	wmic.exe
Token: SeShutdownPrivilege	2132	wmic.exe
Token: SeDebugPrivilege	2132	wmic.exe
Token: SeSystemEnvironmentPrivilege	2132	wmic.exe
Token: SeRemoteShutdownPrivilege	2132	wmic.exe
Token: SeUndockPrivilege	2132	wmic.exe
Token: SeManageVolumePrivilege	2132	wmic.exe
Token: 33	2132	wmic.exe
Token: 34	2132	wmic.exe
Token: 35	2132	wmic.exe
Token: 36	2132	wmic.exe
Token: SeIncreaseQuotaPrivilege	2552	wmic.exe
Token: SeSecurityPrivilege	2552	wmic.exe
Token: SeTakeOwnershipPrivilege	2552	wmic.exe
Token: SeLoadDriverPrivilege	2552	wmic.exe
Token: SeSystemProfilePrivilege	2552	wmic.exe
Token: SeSystemtimePrivilege	2552	wmic.exe
Token: SeProfSingleProcessPrivilege	2552	wmic.exe
Token: SeIncBasePriorityPrivilege	2552	wmic.exe
Token: SeCreatePagefilePrivilege	2552	wmic.exe
Token: SeBackupPrivilege	2552	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe
636	YTunblock.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
636	YTunblock.exe
636	YTunblock.exe
3232	svchost.exe
3736	svchost.exe
400	svchost.exe
1096	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 4536	3460	UnblоckYT.exe	103
PID 3460 wrote to memory of 4536	3460	UnblоckYT.exe	103
PID 4536 wrote to memory of 416	4536	UnblоckYT .exe	105
PID 4536 wrote to memory of 416	4536	UnblоckYT .exe	105
PID 416 wrote to memory of 1396	416	UnblockYT .exe	106
PID 416 wrote to memory of 1396	416	UnblockYT .exe	106
PID 416 wrote to memory of 548	416	UnblockYT .exe	107
PID 416 wrote to memory of 548	416	UnblockYT .exe	107
PID 548 wrote to memory of 4128	548	cmd.exe	109
PID 548 wrote to memory of 4128	548	cmd.exe	109
PID 1396 wrote to memory of 636	1396	YTunblock.sfx.exe	110
PID 1396 wrote to memory of 636	1396	YTunblock.sfx.exe	110
PID 1396 wrote to memory of 636	1396	YTunblock.sfx.exe	110
PID 548 wrote to memory of 3500	548	cmd.exe	111
PID 548 wrote to memory of 3500	548	cmd.exe	111
PID 548 wrote to memory of 3232	548	cmd.exe	113
PID 548 wrote to memory of 3232	548	cmd.exe	113
PID 548 wrote to memory of 2268	548	cmd.exe	114
PID 548 wrote to memory of 2268	548	cmd.exe	114
PID 636 wrote to memory of 2008	636	YTunblock.exe	115
PID 636 wrote to memory of 2008	636	YTunblock.exe	115
PID 636 wrote to memory of 2008	636	YTunblock.exe	115
PID 636 wrote to memory of 2640	636	YTunblock.exe	118
PID 636 wrote to memory of 2640	636	YTunblock.exe	118
PID 636 wrote to memory of 2640	636	YTunblock.exe	118
PID 636 wrote to memory of 3140	636	YTunblock.exe	122
PID 636 wrote to memory of 3140	636	YTunblock.exe	122
PID 636 wrote to memory of 3140	636	YTunblock.exe	122
PID 636 wrote to memory of 1628	636	YTunblock.exe	124
PID 636 wrote to memory of 1628	636	YTunblock.exe	124
PID 636 wrote to memory of 1628	636	YTunblock.exe	124
PID 636 wrote to memory of 3192	636	YTunblock.exe	126
PID 636 wrote to memory of 3192	636	YTunblock.exe	126
PID 636 wrote to memory of 3192	636	YTunblock.exe	126
PID 548 wrote to memory of 2540	548	cmd.exe	128
PID 548 wrote to memory of 2540	548	cmd.exe	128
PID 548 wrote to memory of 2684	548	cmd.exe	129
PID 548 wrote to memory of 2684	548	cmd.exe	129
PID 548 wrote to memory of 2756	548	cmd.exe	130
PID 548 wrote to memory of 2756	548	cmd.exe	130
PID 548 wrote to memory of 5072	548	cmd.exe	131
PID 548 wrote to memory of 5072	548	cmd.exe	131
PID 548 wrote to memory of 4128	548	cmd.exe	132
PID 548 wrote to memory of 4128	548	cmd.exe	132
PID 548 wrote to memory of 1968	548	cmd.exe	133
PID 548 wrote to memory of 1968	548	cmd.exe	133
PID 636 wrote to memory of 2404	636	YTunblock.exe	141
PID 636 wrote to memory of 2404	636	YTunblock.exe	141
PID 2404 wrote to memory of 4908	2404	mowojh.exe	142
PID 2404 wrote to memory of 4908	2404	mowojh.exe	142
PID 2404 wrote to memory of 1388	2404	mowojh.exe	144
PID 2404 wrote to memory of 1388	2404	mowojh.exe	144
PID 2404 wrote to memory of 4580	2404	mowojh.exe	146
PID 2404 wrote to memory of 4580	2404	mowojh.exe	146
PID 2404 wrote to memory of 1976	2404	mowojh.exe	148
PID 2404 wrote to memory of 1976	2404	mowojh.exe	148
PID 2404 wrote to memory of 1348	2404	mowojh.exe	150
PID 2404 wrote to memory of 1348	2404	mowojh.exe	150
PID 2404 wrote to memory of 2132	2404	mowojh.exe	154
PID 2404 wrote to memory of 2132	2404	mowojh.exe	154
PID 2404 wrote to memory of 2552	2404	mowojh.exe	156
PID 2404 wrote to memory of 2552	2404	mowojh.exe	156
PID 2404 wrote to memory of 5092	2404	mowojh.exe	158
PID 2404 wrote to memory of 5092	2404	mowojh.exe	158

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4908	attrib.exe

C:\Users\Admin\AppData\Local\Temp\UnblоckYT.exe
"C:\Users\Admin\AppData\Local\Temp\UnblоckYT.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Roaming\UnblоckYT .exe
  "C:\Users\Admin\AppData\Roaming\UnblоckYT .exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Users\Admin\AppData\Roaming\UnblockYT .exe
    "C:\Users\Admin\AppData\Roaming\UnblockYT .exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:416
  - - C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe
      "C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Users\Admin\AppData\Roaming\YTunblock.exe
        
        "C:\Users\Admin\AppData\Roaming\YTunblock.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\YTunblock.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YTunblock.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3192
      - C:\Users\Admin\AppData\Local\Temp\mowojh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mowojh.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\mowojh.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mowojh.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:5092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1160
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:1360
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\mowojh.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1056
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:972
      - C:\Users\Admin\AppData\Local\Temp\iersmy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iersmy.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\winlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\winlocker.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM "explorer.exe""
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM "explorer.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ .bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:4128
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 2 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3500
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3232
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2268
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2540
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2684
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 2 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2756
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:5072
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:4128
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3768,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
1⤵
PID:2248

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3232

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:3344

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:4404

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x508
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
522B

MD5
8334a471a4b492ece225b471b8ad2fc8

SHA1
1cb24640f32d23e8f7800bd0511b7b9c3011d992

SHA256
5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

SHA512
56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ed5a80da8ea7fb21c3f39ffe43cbde61

SHA1
8868f178f51eb6b79e0e556c4ded3c5661f2ff59

SHA256
840df47eee3d8bc54c50de8f8b57bb58038f24c6ae2ad4b4ec12bd4a1070faad

SHA512
ac5b406f8380c5e5b1b7ab2dfd322f042d4694da6f3bfe083ee4b517adacbb4df01f43b3049eb5e5aab0c619b2809048479ff1f8d6c03585c382f62b875f6ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4eae21b79d490dd7988a9df24d639df5

SHA1
02c581f663fbcd823a037cc469a8bc21492cdd0e

SHA256
078ecc248f3e1096f3944dc3cf10d4f22c4aa494d46ef3966dff9362af12dec0

SHA512
d5efbba2299416a31648ee559fe77093303b2d05e2db181ce17c011bfb762f64437c6ffb3b0a0fda3dff273475957c791aaf0bbb00d093f476d133f8cf0bb6cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
be68bf2a6871575f886772a9ca42f6bf

SHA1
3ed3976aa9d0938dc0da2a48298d8ba7de4c435f

SHA256
a6bea43c560586606456d961ccb86aa63116935d5e80378e6b104f18d74feb5b

SHA512
75dfbb2d4c3a9c7cfc262f45733c06a991ef631797e5de6e64afef16cc8f58ac6957470849b4302f7c41ec482caacbbd590aa70138530f8225b7b64877279bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
64e48b896c2cbf9d26c6f39e39b01acb

SHA1
5fc3a0d0802c6e76048039849d27f8fb9cdeeffe

SHA256
f6b5b1ea1d3562a2802ab8ca2cd4fd6677fea47821991544b3471f934a4fa98b

SHA512
89c81e173fe3b00ba926d5de3db256203bf37ac6f8dc82bf231490ea13f729bf3bbfed1d68521574f4a08cd65227aaefb613d62549603ceddd4803c02a3c0f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
ab15c2f399cbee7ce51a6d70081b97fc

SHA1
3224fa6dc24cb8bd9f79d327b17160690c8951c0

SHA256
06665303c0f3c538674a84cb319b028c5a7c1ce8024bcde1daff0b873555e242

SHA512
2f1aed3082fc5359da85a37b50395ff5614a167704a6ea36e9edb50b526392b0ed1305a1cf49ee511758ec3a951e109feb0af212375b789f0699abc956c318a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e1c95ab59d121b8f15b647869a8eb8b

SHA1
af0801bed1009ec7349c4a1f22acca1902551728

SHA256
d06fcf2cb2320cf26303ae618e08faef44c524e7dd04bf78b5f530b7523a32bb

SHA512
1cd8a2dfc3d7cb747e12e21300953f97bb0ddef12beeff8ca59d6178e46e362a851eaf882a374c0537d7057fa1737021b809320ba2fff2bee9e05a342c414d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40csyffk.ykt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ext\php_squall.dll

Filesize
126KB

MD5
6ff84bc8812b8c079fa6de68cf36ab59

SHA1
ca8789bbd7b0193221f9518e6b2f5b319c32b717

SHA256
7587e29919a56b6f94675e49208e1ae908bcab09363734d846502c3b4ad54326

SHA512
5ef9d9c1038b055186147cbfcfbedf54d6ecc235468ef4968630eb03368cf2c3f39dd600f1ebf9ecfe9b7cc134235b01a983a4fe9b6f292775244f837ec2e81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iersmy.exe

Filesize
5.1MB

MD5
86a1cbee2b7dc5d64051c83c82c8d02b

SHA1
55d82d17f7f10d088909d0cb7116969d12308974

SHA256
d3f47cd85c525a0c3ed855949bf27023c27b24c51d388166d72d4fa8cae4c2f5

SHA512
6720ecb2799185bf2a03259766e3dd38aeaec674a3a28e657bd55131b1e9fb18fab118afc3aa7881de56d7af36d60bf8b29449065ba32c5cf0dea38fb892ecbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mowojh.exe

Filesize
231KB

MD5
ede529d8c059c544ed3b9e2e9c01d2aa

SHA1
cb97383079729fc976518c60b81779d2a197a09c

SHA256
7805a1ab09592daa4f146af406842f35432a9dc7fb0ef3b0d285d4f1625d9915

SHA512
eedcb584fb372ed9678d2e81ecdb9284465b4324ebb5be8be4bb6bf715fa342fbd40fef2cb3af3b35aa162cdc00be236139667f31eef2fb3bd8a21b884ab391c

Download Submit
C:\Users\Admin\AppData\Local\Temp\navalny.wma

Filesize
2.3MB

MD5
5944589557a469c108c45b6b11ab44d6

SHA1
46c96899e0aeb44fd4593d2d58c35f7ce6800f60

SHA256
a2bb3b4646344762852947fe006d03f0a6d390bbe8a1d9921be2ac0ba657b914

SHA512
399662d6d97e0911e07808deee6448794db039e6cca485052d642b975a52545c0203eebb1ca6eea8198a46ebfc5263fbef6383fe89df001fcdea0144fbf2e0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\php5ts.dll

Filesize
6.5MB

MD5
c9aff68f6673fae7580527e8c76805b6

SHA1
bb62cc1db82cfe07a8c08a36446569dfc9c76d10

SHA256
9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

SHA512
c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\squall.dll

Filesize
177KB

MD5
b971f35ffcbbb307761eb89a21df12a7

SHA1
70de69bc3a53603eab2d83eae1363ce2448207cc

SHA256
05a30beb390ea86ca143a7e8f03c0a7aab7ddaf63229ee0d76366a217db9d864

SHA512
ea01509f808daeb4d5404c86162191f8f43a8fb009dc2be45b6d32e730b457c16c07d0ca56f56eb5f2f212507b7fa25da86dd1676ae480b147e633cacbc2b2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlocker.exe

Filesize
3.1MB

MD5
9f93492e155d1bf27b8077e991e6a5a0

SHA1
159d72ad8074b56562b1014393be24b402c3af39

SHA256
43eef3b68ebaab3efbe15eb3046281e380aa78003a0eda8757a9e44f6a59ec7f

SHA512
270bc608ac79ca92c8db6a1455a26f24d80844badc514d5db29acade5748513d8378e3d6d803e9cfb7bdab6482a992b7c6a60845b255f3be5cbf92a0a69db918

Download Submit
C:\Users\Admin\AppData\Roaming\UnblockYT .exe

Filesize
1.8MB

MD5
ddf02dfa6df9ee4e157d675e55a055c7

SHA1
d6fc1b85378c9ffae39dfaa0fc3a6876193ce933

SHA256
6ec4b872cd4c8aa6859574fb02187bda31fb71cbace5026c9e0d89e078b61730

SHA512
79b32c992e1adea1700fac6e87fe1dac0562fc6ff927f16b7464fa32793ff41cc9c1ad9caf323a87213f0cda7c32d29e155e1a5eed8f18d09819d13515b1a4a0

Download Submit
C:\Users\Admin\AppData\Roaming\UnblоckYT .exe

Filesize
2.0MB

MD5
9507d39a1268cc9bc49a89a5b6b1efde

SHA1
62919a92df361ec9f797066b8fd025d7e07c2795

SHA256
d815fcc722bee4f1025644dce314ce8c0b41d05491fd1e3c382a3b403564075f

SHA512
ffd75d68a7e8025c11922681b3214a8c96d70f7fd30f6eb7f6429e3865113f5406cc33ac76cd1580c03b64a52ff846c2c6e8d75968876ab7ac0625dd4873bbc0

Download Submit
C:\Users\Admin\AppData\Roaming\YTunblock.exe

Filesize
1.2MB

MD5
5c130e0ea8b936a34372663dd763f722

SHA1
cbb1efd33b28851682ae3f9699c79ffe705c780d

SHA256
262edf6e52c54494f19dd41c37307c6fb85bbd37820fb10df68a01f2f2fef644

SHA512
a4e7bc8a551507648651740ce87388929ab9c7c3c4997ba0c1fb15116a6e433e1660f11a65886b0ed7552264df74ce055a84fad4c96a057fb0b4c4c37b149f2e

Download Submit
C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe

Filesize
1.6MB

MD5
10aefe8560bf4e437d2f47bd469a59ff

SHA1
57c72df8758b6afcaa47d3dd9b46009b0d68f7e5

SHA256
56a5db69837d84f160c2ad3fd7c46ab658df9979d3ba34834a8b514e63626f11

SHA512
d8f6fd44f11b140c36bfa1d9d732f31d5bc308887fcce3605391ce30fa2fa360379d5c47e7ea2bb9ef5d7dea5b8f82bdd0d7e643a7d7d9de37b478ac7f43646d

Download Submit
C:\Users\Admin\AppData\Roaming\ .bat

Filesize
1KB

MD5
5807f01368bda72ebd943e8755fa2e0c

SHA1
f42940149bf0e256b14343c87f750c6cdac8ae72

SHA256
9c7be36ede7526e5d10e8af969dbf8d2b242ab9c52c107e9f42200fb0ee2ce2a

SHA512
31612135b0981a500b8b09c72809da0e66e0633885270aeb26de02c26dbdbb4d8b27299349cc352558a3c9ec18eda6840e380ca99473fde3882cbbe3e02dc107

Download Submit
memory/400-400-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/400-399-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/400-398-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/400-402-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/636-160-0x0000000006EC0000-0x0000000006F52000-memory.dmp

Filesize
584KB

Download
memory/636-65-0x0000000000640000-0x00000000009F2000-memory.dmp

Filesize
3.7MB

Download
memory/636-446-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/636-391-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/636-47-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/636-46-0x0000000005680000-0x000000000571C000-memory.dmp

Filesize
624KB

Download
memory/636-45-0x0000000000640000-0x00000000009F2000-memory.dmp

Filesize
3.7MB

Download
memory/636-43-0x0000000000640000-0x00000000009F2000-memory.dmp

Filesize
3.7MB

Download
memory/636-159-0x00000000070C0000-0x0000000007664000-memory.dmp

Filesize
5.6MB

Download
memory/636-272-0x0000000006EB0000-0x0000000006EBC000-memory.dmp

Filesize
48KB

Download
memory/636-161-0x0000000006E60000-0x0000000006E6A000-memory.dmp

Filesize
40KB

Download
memory/1096-441-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/1096-423-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/1096-424-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/1096-425-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/1388-301-0x000001603B630000-0x000001603B652000-memory.dmp

Filesize
136KB

Download
memory/1628-144-0x000000006F880000-0x000000006F8CC000-memory.dmp

Filesize
304KB

Download
memory/2008-82-0x0000000007C60000-0x0000000007CF6000-memory.dmp

Filesize
600KB

Download
memory/2008-61-0x0000000006100000-0x0000000006454000-memory.dmp

Filesize
3.3MB

Download
memory/2008-48-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

Filesize
216KB

Download
memory/2008-49-0x0000000005980000-0x0000000005FA8000-memory.dmp

Filesize
6.2MB

Download
memory/2008-50-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/2008-80-0x00000000079E0000-0x00000000079FA000-memory.dmp

Filesize
104KB

Download
memory/2008-79-0x0000000008020000-0x000000000869A000-memory.dmp

Filesize
6.5MB

Download
memory/2008-81-0x0000000007A50000-0x0000000007A5A000-memory.dmp

Filesize
40KB

Download
memory/2008-51-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/2008-85-0x0000000007C20000-0x0000000007C34000-memory.dmp

Filesize
80KB

Download
memory/2008-78-0x00000000078C0000-0x0000000007963000-memory.dmp

Filesize
652KB

Download
memory/2008-77-0x0000000006C70000-0x0000000006C8E000-memory.dmp

Filesize
120KB

Download
memory/2008-62-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/2008-83-0x0000000007BE0000-0x0000000007BF1000-memory.dmp

Filesize
68KB

Download
memory/2008-63-0x00000000069E0000-0x0000000006A2C000-memory.dmp

Filesize
304KB

Download
memory/2008-84-0x0000000007C10000-0x0000000007C1E000-memory.dmp

Filesize
56KB

Download
memory/2008-66-0x0000000006C90000-0x0000000006CC2000-memory.dmp

Filesize
200KB

Download
memory/2008-67-0x000000006F880000-0x000000006F8CC000-memory.dmp

Filesize
304KB

Download
memory/2008-87-0x0000000007D00000-0x0000000007D08000-memory.dmp

Filesize
32KB

Download
memory/2008-86-0x0000000007D20000-0x0000000007D3A000-memory.dmp

Filesize
104KB

Download
memory/2404-329-0x000001B140FD0000-0x000001B140FEE000-memory.dmp

Filesize
120KB

Download
memory/2404-300-0x000001B126910000-0x000001B126950000-memory.dmp

Filesize
256KB

Download
memory/2404-381-0x000001B141260000-0x000001B141409000-memory.dmp

Filesize
1.7MB

Download
memory/2404-363-0x000001B141110000-0x000001B141122000-memory.dmp

Filesize
72KB

Download
memory/2404-362-0x000001B1410E0000-0x000001B1410EA000-memory.dmp

Filesize
40KB

Download
memory/2404-328-0x000001B141000000-0x000001B141050000-memory.dmp

Filesize
320KB

Download
memory/2404-327-0x000001B141050000-0x000001B1410C6000-memory.dmp

Filesize
472KB

Download
memory/2640-100-0x0000000005440000-0x0000000005794000-memory.dmp

Filesize
3.3MB

Download
memory/2640-102-0x000000006F880000-0x000000006F8CC000-memory.dmp

Filesize
304KB

Download
memory/3140-123-0x000000006F880000-0x000000006F8CC000-memory.dmp

Filesize
304KB

Download
memory/3232-270-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/3232-267-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/3232-266-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/3232-265-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/3344-415-0x000001CF7E2A0000-0x000001CF7E2A1000-memory.dmp

Filesize
4KB

Download
memory/3344-416-0x000001CF7E2A0000-0x000001CF7E2A1000-memory.dmp

Filesize
4KB

Download
memory/3344-408-0x000001CF7E2A0000-0x000001CF7E2A1000-memory.dmp

Filesize
4KB

Download
memory/3344-409-0x000001CF7E2A0000-0x000001CF7E2A1000-memory.dmp

Filesize
4KB

Download
memory/3344-413-0x000001CF7E2A0000-0x000001CF7E2A1000-memory.dmp

Filesize
4KB

Download
memory/3344-414-0x000001CF7E2A0000-0x000001CF7E2A1000-memory.dmp

Filesize
4KB

Download
memory/3344-407-0x000001CF7E2A0000-0x000001CF7E2A1000-memory.dmp

Filesize
4KB

Download
memory/3344-419-0x000001CF7E2A0000-0x000001CF7E2A1000-memory.dmp

Filesize
4KB

Download
memory/3344-418-0x000001CF7E2A0000-0x000001CF7E2A1000-memory.dmp

Filesize
4KB

Download
memory/3344-417-0x000001CF7E2A0000-0x000001CF7E2A1000-memory.dmp

Filesize
4KB

Download
memory/3736-389-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/3736-387-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/3736-385-0x0000000000C30000-0x0000000000FE2000-memory.dmp

Filesize
3.7MB

Download
memory/4024-474-0x0000000000400000-0x0000000000AAB000-memory.dmp

Filesize
6.7MB

Download
memory/4024-486-0x0000000004390000-0x0000000004412000-memory.dmp

Filesize
520KB

Download
memory/4024-482-0x0000000002A00000-0x0000000002A2A000-memory.dmp

Filesize
168KB

Download
memory/4024-489-0x0000000000400000-0x0000000000AAB000-memory.dmp

Filesize
6.7MB

Download
memory/4024-493-0x0000000004390000-0x0000000004412000-memory.dmp

Filesize
520KB

Download
memory/4024-491-0x0000000002A00000-0x0000000002A2A000-memory.dmp

Filesize
168KB

Download