{ "Event": { "analysis": "1", "date": "2026-04-01", "extends_uuid": "", "info": "[Threat Intel] Stranger Strings: Yurei Ransomware Operator Toolkit Exposed", "protected": false, "publish_timestamp": "1775970086", "published": true, "threat_level_id": "2", "timestamp": "1775970086", "uuid": "7d1ee2df-cec1-45d2-a0f0-d7298667a620", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#e57031", "local": false, "name": "misp-galaxy:producer=\"Team Cymru\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#50bd28", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#1ef2bb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Pass the Hash - T1550.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"yurei\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Rubeus\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775098809", "to_ids": false, "type": "link", "uuid": "7ad42d6b-9f51-442f-89b8-28dfad64689d", "value": "https://www.team-cymru.com/post/yurei-double-extortion-ransomware-campaign-toolkit" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775098809", "to_ids": false, "type": "text", "uuid": "aa685ab6-53d2-4f3a-b0c7-98907f87cca5", "value": "Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go. Check Point researchers noted that all samples were first submitted to VirusTotal from Morocco, and that one sample did not include a ticket ID, indicating that this could be a test build, possibly uploaded by the developer themselves. Yurei ransomware samples also contained a link to SatanLockv2, based on the presence of the PDB path string \u201cD:\\satanlockv2\u201d present in the Yurei samples." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775098809", "to_ids": false, "type": "text", "uuid": "511b16de-8236-4f9f-93ee-9ae38714a081", "value": "Name: Stranger Strings: Yurei Ransomware Operator Toolkit Exposed\nAuthor: AlienVault\nAdversary: \nTags: [\"Yurei Ransomware\", \"NetExec\", \"NetScan\", \"Infostealers\", \"AnyDesk\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1059.001\", \"T1078\", \"T1046\", \"T1550.002\"]\nIndustries: []" }, { "category": "Network activity", "comment": "Yurei Open Directories", "deleted": false, "disable_correlation": false, "timestamp": "1775965271", "to_ids": true, "type": "ip-dst", "uuid": "7d6b0084-d624-4f96-9016-a3d621f0ca59", "value": "44.210.101.86", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Yurei Open Directories", "deleted": false, "disable_correlation": false, "timestamp": "1775965293", "to_ids": true, "type": "ip-dst", "uuid": "472277af-8f8a-4262-854f-fe8d460341b1", "value": "44.223.40.182", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965314", "uuid": "35299f02-c82f-491a-a738-b2e9ee5efcc0", "Attribute": [ { "category": "Payload delivery", "comment": "Internal enumeration script", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965314", "to_ids": true, "type": "md5", "uuid": "a38ba3ba-a208-4cf4-8132-83a581ff973c", "value": "9ddd82fed27db8a5cbfa41b833aa3e03", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Internal enumeration script", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964136", "to_ids": true, "type": "sha1", "uuid": "db9b2737-78fe-4bfe-acae-e0d775bc81de", "value": "9647f89e446ddf5f39f7e01b2181eb02f609c6d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Internal enumeration script", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964136", "to_ids": true, "type": "sha256", "uuid": "a9b143c5-ae41-4eb2-ae68-cac989917496", "value": "1facf7cdd94eed0a8a11b30f4237699385b20578339c68df01e542d772ccbce5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963140", "to_ids": true, "type": "ssdeep", "uuid": "fa54a2bf-55d1-4edc-a04f-92d38c892b86", "value": "24:QH0M0OKDUPtBaQVFOQUk4TTJdaJALhWlSpZvEnBDsDolYyF/7y1QyEP9yvFfyMNk:Th1UPtBiaALaGLUlSpBWDsUCWzly69yw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963140", "to_ids": false, "type": "size-in-bytes", "uuid": "bd449b37-9c49-4dc7-9e4b-053c9ad3adce", "value": "1501" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963140", "to_ids": true, "type": "vhash", "uuid": "f0f3d385-6e28-405c-a3b3-c3e3a53e99bf", "value": "de1b9f4518365e7c1ba53882794831bc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963140", "to_ids": true, "type": "filename", "uuid": "769de38d-3d24-40f7-b2cb-c1d80fc5241c", "value": "Host_Discovery.ps1" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963140", "to_ids": false, "type": "text", "uuid": "0ad2382d-bf77-403a-93cd-bebb67d6432a", "value": "Internal enumeration script\r\nType Description: Powershell\nMicrosoft: None\nVT Total Detection:11/62\nFirst Submission:2026-01-05T21:30:06.000000+00:00\nLast Submission:2026-01-05T21:47:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965335", "uuid": "1374b026-a6fb-49c4-90bd-bfa08871ceca", "Attribute": [ { "category": "Payload delivery", "comment": "the script that executes StrangerThings.exe", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965335", "to_ids": true, "type": "md5", "uuid": "8d84148e-28bc-48fb-adfd-b2c6215f8228", "value": "b43729ea66216ef2fb7ef9c5ca56aab3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "the script that executes StrangerThings.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964137", "to_ids": true, "type": "sha1", "uuid": "fbef5a15-2f1c-41c2-a530-31798ee0ef9a", "value": "5b34a94d50b8eae28fd91616dcd0d1e28cd87b26", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "the script that executes StrangerThings.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964137", "to_ids": true, "type": "sha256", "uuid": "85e50334-0cea-47d1-b33c-bafb26237f61", "value": "26f51df1a12230b6bb583f3003c102a79106b049f89d9b9d43c6e85e072bd99e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963162", "to_ids": true, "type": "ssdeep", "uuid": "c86b05af-e665-41c3-9cee-82cc1ef79339", "value": "12:vyVH3HJTTRqB24qKi04HQQaSvWKNJbingkbQpc4VM4V5mvWKChdvWuIJgBBy3:vyJ/qNY9HQ3oJERbMVMocu0gU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963162", "to_ids": false, "type": "size-in-bytes", "uuid": "13bc212c-1578-4084-9505-2385d8e74432", "value": "748" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963162", "to_ids": true, "type": "vhash", "uuid": "edb5c2f3-a0c4-42a0-8af1-745a3ed30d1c", "value": "07f6ca9e137c603741a13670cb13d93e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963162", "to_ids": true, "type": "filename", "uuid": "87797683-1e1e-4f2d-92b7-16cbc54267b5", "value": "Vecna.ps1" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963162", "to_ids": false, "type": "text", "uuid": "a59b7b88-ac20-49ab-8d26-944471da68d2", "value": "the script that executes StrangerThings.exe\r\nType Description: Powershell\nMicrosoft: None\nVT Total Detection:10/62\nFirst Submission:2026-01-05T21:37:02.000000+00:00\nLast Submission:2026-01-05T21:45:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965358", "uuid": "2e0105b6-5f8d-45d5-a086-693a46ec787f", "Attribute": [ { "category": "Payload delivery", "comment": "Yurei Ransomware Binary", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965358", "to_ids": true, "type": "md5", "uuid": "9802f750-a30c-48c0-8fb5-2e385c328728", "value": "964540e24c4e2e048e4600e5f590bf96", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Yurei Ransomware Binary", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964139", "to_ids": true, "type": "sha1", "uuid": "37f31b44-bb49-4f97-b675-bc66b96600ae", "value": "d4757f035c3447c33c2347101d08c1e798f1a044", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Yurei Ransomware Binary", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964139", "to_ids": true, "type": "sha256", "uuid": "0f381172-2420-41c9-97ba-3f8761bbdc31", "value": "4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963184", "to_ids": true, "type": "ssdeep", "uuid": "79bf0941-b8da-4c68-9727-d2010a719c85", "value": "49152:UhLOg7cJBDHPTa8PM7myuSKszC1KxK9Km/d5E:U0VVndSUX/zE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963184", "to_ids": false, "type": "size-in-bytes", "uuid": "3232e053-bd2d-4213-ae50-a1f17e4e9915", "value": "2848768" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963184", "to_ids": true, "type": "vhash", "uuid": "a511f5b7-bed2-4b04-bf03-1f095e6b0889", "value": "026086655d65551d15541az2e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963184", "to_ids": true, "type": "filename", "uuid": "b3ed7d44-893b-4f3f-ae9d-4f80673b9dc5", "value": "4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 05/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963184", "to_ids": false, "type": "text", "uuid": "4e709cea-1080-4225-8538-92c731849f96", "value": "Yurei Ransomware Binary\r\nType Description: Win32 EXE\nMicrosoft: Ransom:Win64/PrincessLocker.CD!MTB\nVT Total Detection:57/72\nFirst Submission:2025-09-07T17:05:05.000000+00:00\nLast Submission:2026-04-04T19:15:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965379", "uuid": "2ef533a1-6df9-4f74-991b-2073333622e2", "Attribute": [ { "category": "Payload delivery", "comment": "kills Windows security software such as Defender and a free backup tool SysRestore", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965379", "to_ids": true, "type": "md5", "uuid": "469e25ff-b752-462d-8138-4563e2ae3c4c", "value": "2aed22880da64e16fa6a518c800bdc71", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "kills Windows security software such as Defender and a free backup tool SysRestore", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964139", "to_ids": true, "type": "sha1", "uuid": "0940859b-ec03-4def-9740-5af7bd4aec02", "value": "7fc4d2a422b4ab31ace6f77bbb653899fa37e9d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "kills Windows security software such as Defender and a free backup tool SysRestore", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964139", "to_ids": true, "type": "sha256", "uuid": "a70c8afd-04de-4daf-a355-d3ee1c5c42b8", "value": "ebfe75ab3223b036a4b886d497f2b172425b3e63890d485c99353773d4c436ea", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963206", "to_ids": true, "type": "ssdeep", "uuid": "923c6651-64a3-467f-9781-3a0c447d4c72", "value": "48:NhXhfUr54sMf3j5954THJJfVml97oWRitMuU1PtnMVMv+DXwuKnzBlDjmyl:Lx0y3tT4THJJfVm3bXnrvdnfmyl" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963206", "to_ids": false, "type": "size-in-bytes", "uuid": "3ca00e4d-aad0-4ddb-a38c-1feda025f4e6", "value": "2315" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963206", "to_ids": true, "type": "vhash", "uuid": "4061c1a9-f976-4d65-b28c-a81d32762876", "value": "7780b4c2fb49f5b65a90dd067f0bd85f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963206", "to_ids": true, "type": "filename", "uuid": "6ee37bab-60ab-484d-a49e-a3fc5ab13b7e", "value": "FixingIssues2.ps1" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963206", "to_ids": false, "type": "text", "uuid": "53cebef7-073b-44a5-a3fd-64b14813f15f", "value": "kills Windows security software such as Defender and a free backup tool SysRestore\r\nType Description: Powershell\nMicrosoft: None\nVT Total Detection:11/62\nFirst Submission:2026-01-05T21:28:03.000000+00:00\nLast Submission:2026-01-06T09:45:08.000000+00:00" } ] } ] } }