search

cerealwitmilk / Byfron-Bypass

Do What The F*ck You Want To Public License
1 stars 0 forks source link

why it closes discord and how do i use this? #1

Open Plackys opened 6 months ago

Plackys commented 6 months ago

when i open this program it closes discord and 2 program are running in background, how do i use this? do i like open roblox and start exploiting with like fluxus or electron?

nicoz2 commented 6 months ago

this is 100% rat + this is not the cerealwithmilk account

nicoz2 commented 6 months ago

i checked on a vm and it opens cmd and it starts deleting every file and it created a temp system C:\Users\Admin\AppData\Local\Temp\2ZGuDZAR8OW1mWCAKVO9hQnqyr0\System.exe (vm) that where the 2 system process named system when the 2 process was doing was opening cmd and deleting files like C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZGuDZAR8OW1mWCAKVO9hQnqyr0\resources\app.asar.unpacked\bind\main.exe" (that is the command it executed) or C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"" (it deleted 7 zip and it will start deleting everything after unistalling files it does this powershell Get-Clipboard and then it started deleting more files C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"" (now it deleted vlc and deleting it from reg) next it does is opens powershell and powershell.exe -NoProfile -Command "& {netsh wlan show profile}" powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}" then it does this powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername )

$AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername

$ret = @()
foreach ($AntiVirusProduct in $AntiVirusProducts) {
     switch ($AntiVirusProduct.productState) {
        \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" }
        \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" }
        \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" }
        \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" }
        \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" }
        \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" }
        \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" }
        \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" }
        \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" }
        \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" }
        default   { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" }
    }
    $ht = @{}
    $ht.Computername = $computername
    $ht.Name = $AntiVirusProduct.displayName
    $ht.'Product GUID' = $AntiVirusProduct.instanceGuid
    $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe
    $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe
    $ht.'Definition Status' = $defstatus
    $ht.'Real-time Protection Status' = $rtstatus

    # Créez un nouvel objet pour chaque ordinateur
    $ret += New-Object -TypeName PSObject -Property $ht 
}
Return $ret

} Get-AntiVirusProduct }" (it executed this code basically checks smth of the antivirus or tries disabling it/deleting it) then starts spamming C:\Windows\system32\cmd.exe /d /s /c "tasklist" and C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1" and more like get clipboard then it does this powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault (which i think it changes smth) then the dns are this : ipinfo. io 201.178.17.96.in-addr.arpa Remote address: 8.8.8.8:53 Request 208.194.73.20.in-addr.arpa IN PTR g.bing.com 200.197.79.204.in-addr.arpa 88.156.103.20.in-addr.arpa and more dns then it downloaded these C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Filesize 64B

MD5 446dd1cf97eaba21cf14d03aebc79f27

SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Local\Temp\nsv5600.tmp\System.dll MD5 d41d8cd98f00b204e9800998ecf8427e

SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1548-578-0x00007FFC33B10000-0x00007FFC33B11000-memory.dmp Filesize 4KB

memory/4696-955-0x000001F1B2980000-0x000001F1B2990000-memory.dmp Filesize 64KB

memory/5108-1065-0x0000025FF36F0000-0x0000025FF3700000-memory.dmp Filesize 64KB

memory/5276-1078-0x00007FFC13D40000-0x00007FFC14801000-memory.dmp Filesize 10MB

memory/5300-843-0x000001F21F5E0000-0x000001F21F5F0000-memory.dmp Filesize 64KB

memory/5300-841-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/5300-861-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/5300-858-0x000001F21F5E0000-0x000001F21F5F0000-memory.dmp Filesize 64KB

memory/5300-853-0x000001F21F5E0000-0x000001F21F5F0000-memory.dmp Filesize 64KB

memory/5432-612-0x00007FFC14390000-0x00007FFC14E51000-memory.dmp Filesize 10MB

memory/5432-602-0x000001CC22980000-0x000001CC229A2000-memory.dmp Filesize 136KB

memory/5432-618-0x00007FFC14390000-0x00007FFC14E51000-memory.dmp Filesize 10MB

memory/5432-613-0x000001CC0A210000-0x000001CC0A220000-memory.dmp Filesize 64KB

memory/5432-614-0x000001CC0A210000-0x000001CC0A220000-memory.dmp Filesize 64KB

memory/5636-636-0x00007FFC14390000-0x00007FFC14E51000-memory.dmp Filesize 10MB

memory/5636-633-0x00000262212F0000-0x0000026221300000-memory.dmp Filesize 64KB

memory/5636-631-0x00007FFC14390000-0x00007FFC14E51000-memory.dmp Filesize 10MB

memory/5636-632-0x00000262212F0000-0x0000026221300000-memory.dmp Filesize 64KB

memory/5960-1000-0x00007FFC13D40000-0x00007FFC14801000-memory.dmp Filesize 10MB

memory/5960-1011-0x000001BF11B10000-0x000001BF11B20000-memory.dmp Filesize 64KB

memory/6180-813-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/6180-777-0x0000016C20830000-0x0000016C20840000-memory.dmp Filesize 64KB

memory/6180-832-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/6280-1027-0x00007FFC13C80000-0x00007FFC14741000-memory.dmp Filesize 10MB

memory/6464-969-0x00000226469A0000-0x00000226469B0000-memory.dmp Filesize 64KB

memory/6684-1050-0x00007FFC13D40000-0x00007FFC14801000-memory.dmp Filesize 10MB

memory/6684-1051-0x000001C95BA30000-0x000001C95BA40000-memory.dmp Filesize 64KB

memory/6716-749-0x000001FE2B450000-0x000001FE2B460000-memory.dmp Filesize 64KB

memory/6716-756-0x000001FE2B450000-0x000001FE2B460000-memory.dmp Filesize 64KB

memory/6716-834-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/6716-748-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/6756-1023-0x00007FFC13D40000-0x00007FFC14801000-memory.dmp Filesize 10MB

memory/7000-857-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/7000-810-0x000001A5BB550000-0x000001A5BB560000-memory.dmp Filesize 64KB

memory/7000-809-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/7000-811-0x000001A5BB550000-0x000001A5BB560000-memory.dmp Filesize 64KB

memory/7016-842-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/7016-801-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/7016-807-0x000001823AB80000-0x000001823AB90000-memory.dmp Filesize 64KB

memory/7016-806-0x000001823AB80000-0x000001823AB90000-memory.dmp Filesize 64KB

memory/7356-838-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/7356-818-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/7356-819-0x0000017149FF0000-0x000001714A000000-memory.dmp Filesize 64KB

memory/7636-941-0x0000024F01490000-0x0000024F014A0000-memory.dmp Filesize 64KB

memory/8092-995-0x00007FFC13D40000-0x00007FFC14801000-memory.dmp Filesize 10MB

memory/8896-982-0x00007FFC13D40000-0x00007FFC14801000-memory.dmp Filesize 10MB

memory/8964-817-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/8964-774-0x00007FFC142E0000-0x00007FFC14DA1000-memory.dmp Filesize 10MB

memory/8964-757-0x0000027221E60000-0x0000027221E70000-memory.dmp Filesize 64KB

nicoz2 commented 6 months ago

if u want to check : https://tria.ge/240105-2gm89sdaf6/behavioral2