f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Size

10.1MB
MD5

4dabfeed4b250a3248714458ae370ca8
SHA1

6e215b2a20039a4dbde18579a1419a4eb10946ac
SHA256

eb23cbc820d2b8fdc0227b2e89274edf2671163cae40e0a9bb930b91c05ac3a9
SHA512

7ea826cf27da942ce2e9db4a800b3c247670a8fc260af8686d14c48583f38f14b935d5af282a3774a9811f0957ca7318dc883307254554e907f7cfb5f6419a4c
SSDEEP

196608:m6+0f/ylacMb5mCbClb12UK4RDx5gRIAL1xXPm68DwOHRR+kc4N4FmDdgW7NaREE:m0f/KacMbR2J2UKEdiRIAL1xXPCwkEn7

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
6400	netsh.exe
2924	netsh.exe
7968	netsh.exe
9508	netsh.exe
2776	netsh.exe
2052	netsh.exe
1512	netsh.exe
1316	netsh.exe
11108	netsh.exe
4816	netsh.exe
7320	netsh.exe
10372	netsh.exe
10584	netsh.exe
7500	netsh.exe
7304	netsh.exe
4408	netsh.exe
5432	netsh.exe
3712	netsh.exe
3860	netsh.exe
1672	netsh.exe
9284	netsh.exe
9824	netsh.exe
10260	netsh.exe
304	netsh.exe
1868	netsh.exe
4156	netsh.exe
8656	netsh.exe
8456	netsh.exe
1704	netsh.exe
5600	netsh.exe
6316	netsh.exe
2980	netsh.exe
1876	netsh.exe
3076	netsh.exe
6056	netsh.exe
1312	netsh.exe
5440	netsh.exe
7016	netsh.exe
8128	netsh.exe
3792	netsh.exe
5756	netsh.exe
3520	netsh.exe
2272	netsh.exe
7332	netsh.exe
1252	netsh.exe
3920	netsh.exe
3532	netsh.exe
10448	netsh.exe
8936	netsh.exe
3584	netsh.exe
5028	netsh.exe
1360	netsh.exe
8924	netsh.exe
9388	netsh.exe
3192	netsh.exe
4968	netsh.exe
10832	netsh.exe
10580	netsh.exe
1704	netsh.exe
1252	netsh.exe
9532	netsh.exe
5244	netsh.exe
8036	netsh.exe
9640	netsh.exe

Drops startup file 2 IoCs

Processes:

firewall.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe

Executes dropped EXE 64 IoCs

Processes:

Venom Cracked.exeMajid Z Hacker.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exefirewall.exeMajid Z Hacker.exeMajid Z Hacker.exefirewall.exefirewall.exeMajid Z Hacker.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exe

pid	process
1032	Venom Cracked.exe
1964	Majid Z Hacker.exe
2616	Majid Z Hacker.exe
2720	firewall.exe
2576	Majid Z Hacker.exe
2600	firewall.exe
2752	Majid Z Hacker.exe
2500	firewall.exe
2604	Majid Z Hacker.exe
2632	firewall.exe
2508	Majid Z Hacker.exe
2588	firewall.exe
2272	Majid Z Hacker.exe
1108	firewall.exe
2840	Majid Z Hacker.exe
2888	firewall.exe
2884	Majid Z Hacker.exe
2900	firewall.exe
1716	Majid Z Hacker.exe
2348	firewall.exe
1444	Majid Z Hacker.exe
2524	firewall.exe
3032	Majid Z Hacker.exe
1916	firewall.exe
2940	Majid Z Hacker.exe
1820	firewall.exe
484	Majid Z Hacker.exe
1796	firewall.exe
1976	Majid Z Hacker.exe
1784	firewall.exe
2056	firewall.exe
2012	Majid Z Hacker.exe
1596	Majid Z Hacker.exe
1592	firewall.exe
2064	firewall.exe
1968	Majid Z Hacker.exe
1932	Majid Z Hacker.exe
2660	firewall.exe
1312	Majid Z Hacker.exe
2764	firewall.exe
1436	Majid Z Hacker.exe
2728	firewall.exe
1588	Majid Z Hacker.exe
2932	firewall.exe
2412	Majid Z Hacker.exe
2680	firewall.exe
1628	Majid Z Hacker.exe
2012	firewall.exe
3200	Majid Z Hacker.exe
3208	firewall.exe
3364	Majid Z Hacker.exe
3372	firewall.exe
3468	Majid Z Hacker.exe
3492	firewall.exe
3676	Majid Z Hacker.exe
3728	firewall.exe
3844	Majid Z Hacker.exe
3900	firewall.exe
4012	Majid Z Hacker.exe
4068	firewall.exe
3152	Majid Z Hacker.exe
3228	firewall.exe
3252	Majid Z Hacker.exe
3332	firewall.exe

Loads dropped DLL 64 IoCs

Processes:

Venom Activated Cracked.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exeMajid Z Hacker.exedw20.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exedw20.exedw20.exedw20.exedw20.exedw20.exeMajid Z Hacker.exe

pid	process
2316	Venom Activated Cracked.exe
2316	Venom Activated Cracked.exe
1964	Majid Z Hacker.exe
1964	Majid Z Hacker.exe
2616	Majid Z Hacker.exe
2616	Majid Z Hacker.exe
2576	Majid Z Hacker.exe
2576	Majid Z Hacker.exe
2752	Majid Z Hacker.exe
2752	Majid Z Hacker.exe
2604	Majid Z Hacker.exe
2604	Majid Z Hacker.exe
2508	Majid Z Hacker.exe
2508	Majid Z Hacker.exe
2272	Majid Z Hacker.exe
2272	Majid Z Hacker.exe
2840	Majid Z Hacker.exe
2840	Majid Z Hacker.exe
2884	Majid Z Hacker.exe
2884	Majid Z Hacker.exe
1716	Majid Z Hacker.exe
1716	Majid Z Hacker.exe
1444	Majid Z Hacker.exe
1444	Majid Z Hacker.exe
3032	Majid Z Hacker.exe
3032	Majid Z Hacker.exe
2940	Majid Z Hacker.exe
1760	dw20.exe
2772	dw20.exe
2804	dw20.exe
2940	Majid Z Hacker.exe
700	dw20.exe
2556	dw20.exe
2036	dw20.exe
1296	dw20.exe
2812	dw20.exe
2196	dw20.exe
484	Majid Z Hacker.exe
484	Majid Z Hacker.exe
2252	dw20.exe
1976	Majid Z Hacker.exe
1976	Majid Z Hacker.exe
2012	Majid Z Hacker.exe
2012	Majid Z Hacker.exe
1596	Majid Z Hacker.exe
1596	Majid Z Hacker.exe
1968	Majid Z Hacker.exe
1968	Majid Z Hacker.exe
1932	Majid Z Hacker.exe
1932	Majid Z Hacker.exe
1312	Majid Z Hacker.exe
1312	Majid Z Hacker.exe
1436	Majid Z Hacker.exe
1436	Majid Z Hacker.exe
1588	Majid Z Hacker.exe
1588	Majid Z Hacker.exe
2412	Majid Z Hacker.exe
2412	Majid Z Hacker.exe
2620	dw20.exe
2116	dw20.exe
1852	dw20.exe
1436	dw20.exe
2880	dw20.exe
1628	Majid Z Hacker.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

firewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

firewall.exefirewall.exe

pid	process
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe

Suspicious behavior: GetForegroundWindowSpam 16 IoCs

Processes:

dw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe

pid	process
2036	dw20.exe
1296	dw20.exe
2812	dw20.exe
1760	dw20.exe
2804	dw20.exe
2772	dw20.exe
2556	dw20.exe
700	dw20.exe
2196	dw20.exe
2252	dw20.exe
2620	dw20.exe
1436	dw20.exe
2880	dw20.exe
2116	dw20.exe
1852	dw20.exe
3276	dw20.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2524	firewall.exe
Token: SeDebugPrivilege	1820	firewall.exe
Token: SeDebugPrivilege	1796	firewall.exe
Token: SeDebugPrivilege	1784	firewall.exe
Token: SeDebugPrivilege	2056	firewall.exe
Token: SeDebugPrivilege	1592	firewall.exe
Token: SeDebugPrivilege	2064	firewall.exe
Token: SeDebugPrivilege	2660	firewall.exe
Token: SeDebugPrivilege	2764	firewall.exe
Token: SeDebugPrivilege	2728	firewall.exe
Token: SeDebugPrivilege	2932	firewall.exe
Token: SeDebugPrivilege	2680	firewall.exe
Token: SeDebugPrivilege	1916	firewall.exe
Token: SeDebugPrivilege	2600	firewall.exe
Token: SeDebugPrivilege	2720	firewall.exe
Token: SeDebugPrivilege	2900	firewall.exe
Token: SeDebugPrivilege	2012	firewall.exe
Token: SeDebugPrivilege	3208	firewall.exe
Token: SeDebugPrivilege	3372	firewall.exe
Token: SeDebugPrivilege	3492	firewall.exe
Token: SeDebugPrivilege	3728	firewall.exe
Token: SeDebugPrivilege	3900	firewall.exe
Token: SeDebugPrivilege	4068	firewall.exe
Token: SeDebugPrivilege	3228	firewall.exe
Token: SeDebugPrivilege	3332	firewall.exe
Token: SeDebugPrivilege	3596	firewall.exe
Token: SeDebugPrivilege	3868	firewall.exe
Token: SeDebugPrivilege	3592	firewall.exe
Token: SeDebugPrivilege	2504	firewall.exe
Token: SeDebugPrivilege	3684	firewall.exe
Token: SeDebugPrivilege	3816	firewall.exe
Token: SeDebugPrivilege	3460	firewall.exe
Token: SeDebugPrivilege	2888	firewall.exe
Token: SeDebugPrivilege	2500	firewall.exe
Token: SeDebugPrivilege	2632	firewall.exe
Token: SeDebugPrivilege	2588	firewall.exe
Token: SeDebugPrivilege	3200	firewall.exe
Token: SeDebugPrivilege	4092	firewall.exe
Token: SeDebugPrivilege	3720	firewall.exe
Token: SeDebugPrivilege	3132	firewall.exe
Token: SeDebugPrivilege	3716	firewall.exe
Token: SeDebugPrivilege	3088	firewall.exe
Token: SeDebugPrivilege	892	firewall.exe
Token: SeDebugPrivilege	3324	firewall.exe
Token: SeDebugPrivilege	3360	firewall.exe
Token: SeDebugPrivilege	4268	firewall.exe
Token: SeDebugPrivilege	4436	firewall.exe
Token: SeDebugPrivilege	4608	firewall.exe
Token: SeDebugPrivilege	4768	firewall.exe
Token: SeDebugPrivilege	4892	firewall.exe
Token: SeDebugPrivilege	5060	firewall.exe
Token: SeDebugPrivilege	4160	firewall.exe
Token: SeDebugPrivilege	4396	firewall.exe
Token: SeDebugPrivilege	4148	firewall.exe
Token: SeDebugPrivilege	4836	firewall.exe
Token: SeDebugPrivilege	5092	firewall.exe
Token: SeDebugPrivilege	3928	firewall.exe
Token: SeDebugPrivilege	4568	firewall.exe
Token: SeDebugPrivilege	4476	firewall.exe
Token: SeDebugPrivilege	3704	firewall.exe
Token: SeDebugPrivilege	4428	firewall.exe
Token: SeDebugPrivilege	4332	firewall.exe
Token: SeDebugPrivilege	5080	firewall.exe
Token: SeDebugPrivilege	4724	firewall.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Venom Activated Cracked.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exe

description	pid	process	target process
PID 2316 wrote to memory of 1032	2316	Venom Activated Cracked.exe	Venom Cracked.exe
PID 2316 wrote to memory of 1032	2316	Venom Activated Cracked.exe	Venom Cracked.exe
PID 2316 wrote to memory of 1032	2316	Venom Activated Cracked.exe	Venom Cracked.exe
PID 2316 wrote to memory of 1032	2316	Venom Activated Cracked.exe	Venom Cracked.exe
PID 2316 wrote to memory of 1964	2316	Venom Activated Cracked.exe	Majid Z Hacker.exe
PID 2316 wrote to memory of 1964	2316	Venom Activated Cracked.exe	Majid Z Hacker.exe
PID 2316 wrote to memory of 1964	2316	Venom Activated Cracked.exe	Majid Z Hacker.exe
PID 2316 wrote to memory of 1964	2316	Venom Activated Cracked.exe	Majid Z Hacker.exe
PID 1964 wrote to memory of 2616	1964	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 1964 wrote to memory of 2616	1964	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 1964 wrote to memory of 2616	1964	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 1964 wrote to memory of 2616	1964	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 1964 wrote to memory of 2720	1964	Majid Z Hacker.exe	firewall.exe
PID 1964 wrote to memory of 2720	1964	Majid Z Hacker.exe	firewall.exe
PID 1964 wrote to memory of 2720	1964	Majid Z Hacker.exe	firewall.exe
PID 1964 wrote to memory of 2720	1964	Majid Z Hacker.exe	firewall.exe
PID 2616 wrote to memory of 2576	2616	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2616 wrote to memory of 2576	2616	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2616 wrote to memory of 2576	2616	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2616 wrote to memory of 2576	2616	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2616 wrote to memory of 2600	2616	Majid Z Hacker.exe	firewall.exe
PID 2616 wrote to memory of 2600	2616	Majid Z Hacker.exe	firewall.exe
PID 2616 wrote to memory of 2600	2616	Majid Z Hacker.exe	firewall.exe
PID 2616 wrote to memory of 2600	2616	Majid Z Hacker.exe	firewall.exe
PID 2576 wrote to memory of 2752	2576	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2576 wrote to memory of 2752	2576	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2576 wrote to memory of 2752	2576	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2576 wrote to memory of 2752	2576	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2576 wrote to memory of 2500	2576	Majid Z Hacker.exe	firewall.exe
PID 2576 wrote to memory of 2500	2576	Majid Z Hacker.exe	firewall.exe
PID 2576 wrote to memory of 2500	2576	Majid Z Hacker.exe	firewall.exe
PID 2576 wrote to memory of 2500	2576	Majid Z Hacker.exe	firewall.exe
PID 2752 wrote to memory of 2604	2752	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2752 wrote to memory of 2604	2752	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2752 wrote to memory of 2604	2752	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2752 wrote to memory of 2604	2752	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2752 wrote to memory of 2632	2752	Majid Z Hacker.exe	firewall.exe
PID 2752 wrote to memory of 2632	2752	Majid Z Hacker.exe	firewall.exe
PID 2752 wrote to memory of 2632	2752	Majid Z Hacker.exe	firewall.exe
PID 2752 wrote to memory of 2632	2752	Majid Z Hacker.exe	firewall.exe
PID 2604 wrote to memory of 2508	2604	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2604 wrote to memory of 2508	2604	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2604 wrote to memory of 2508	2604	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2604 wrote to memory of 2508	2604	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2604 wrote to memory of 2588	2604	Majid Z Hacker.exe	firewall.exe
PID 2604 wrote to memory of 2588	2604	Majid Z Hacker.exe	firewall.exe
PID 2604 wrote to memory of 2588	2604	Majid Z Hacker.exe	firewall.exe
PID 2604 wrote to memory of 2588	2604	Majid Z Hacker.exe	firewall.exe
PID 2508 wrote to memory of 2272	2508	Majid Z Hacker.exe	netsh.exe
PID 2508 wrote to memory of 2272	2508	Majid Z Hacker.exe	netsh.exe
PID 2508 wrote to memory of 2272	2508	Majid Z Hacker.exe	netsh.exe
PID 2508 wrote to memory of 2272	2508	Majid Z Hacker.exe	netsh.exe
PID 2508 wrote to memory of 1108	2508	Majid Z Hacker.exe	firewall.exe
PID 2508 wrote to memory of 1108	2508	Majid Z Hacker.exe	firewall.exe
PID 2508 wrote to memory of 1108	2508	Majid Z Hacker.exe	firewall.exe
PID 2508 wrote to memory of 1108	2508	Majid Z Hacker.exe	firewall.exe
PID 2272 wrote to memory of 2840	2272	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2272 wrote to memory of 2840	2272	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2272 wrote to memory of 2840	2272	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2272 wrote to memory of 2840	2272	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2272 wrote to memory of 2888	2272	Majid Z Hacker.exe	firewall.exe
PID 2272 wrote to memory of 2888	2272	Majid Z Hacker.exe	firewall.exe
PID 2272 wrote to memory of 2888	2272	Majid Z Hacker.exe	firewall.exe
PID 2272 wrote to memory of 2888	2272	Majid Z Hacker.exe	firewall.exe

C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Activated Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Activated Cracked.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"
2⤵
- Executes dropped EXE
PID:1032

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:484

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
26⤵
- Executes dropped EXE
PID:3200

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
27⤵
- Executes dropped EXE
PID:3364

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
28⤵
- Executes dropped EXE
PID:3468

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
29⤵
- Executes dropped EXE
PID:3676

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
30⤵
- Executes dropped EXE
PID:3844

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
31⤵
- Executes dropped EXE
PID:4012

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
32⤵
- Executes dropped EXE
PID:3152

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
33⤵
- Executes dropped EXE
PID:3252

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
34⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
35⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
36⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
37⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
38⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
39⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
40⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
41⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
42⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
43⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
44⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
45⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
46⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
47⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
48⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
49⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
50⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
51⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
52⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
53⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
54⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
55⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
56⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
57⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
58⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
59⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
60⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
61⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
62⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
63⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
64⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
65⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
66⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
67⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
68⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
69⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
70⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
71⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
72⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
73⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
74⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
75⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
76⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
77⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
78⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
79⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
80⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
81⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
82⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
83⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
84⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
85⤵
PID:6036

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
86⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
87⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
88⤵
PID:5524

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
89⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
90⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
91⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
92⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
93⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
94⤵
PID:5816

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
95⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
96⤵
PID:5796

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
97⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
98⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
99⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
100⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
101⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
102⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
103⤵
PID:6396

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
104⤵
PID:6576

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
105⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
106⤵
PID:7016

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
107⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
108⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
109⤵
PID:6396

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
110⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
111⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
112⤵
PID:6488

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
113⤵
PID:6340

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
114⤵
PID:6676

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
115⤵
PID:6544

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
116⤵
PID:6732

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
117⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
118⤵
PID:7016

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
119⤵
PID:7376

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
120⤵
PID:7560

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
121⤵
PID:7744

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
122⤵
PID:7924

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
123⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
124⤵
PID:6852

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
125⤵
PID:7512

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
126⤵
PID:7732

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
127⤵
PID:7544

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
128⤵
PID:7344

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
129⤵
PID:8036

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
130⤵
PID:7724

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
131⤵
PID:6300

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
132⤵
PID:7844

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
133⤵
PID:7992

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
134⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
135⤵
PID:6500

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
136⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
137⤵
PID:7832

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
138⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
139⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
140⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
141⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
142⤵
PID:7864

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
143⤵
PID:7960

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
144⤵
PID:6500

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
145⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
146⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
147⤵
PID:7380

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
148⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
149⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
150⤵
PID:8148

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
151⤵
PID:5676

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
152⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
153⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
154⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
155⤵
PID:8380

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
156⤵
PID:8576

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
157⤵
PID:8784

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
158⤵
PID:8992

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
159⤵
PID:9200

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
160⤵
PID:8456

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
161⤵
PID:8384

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
162⤵
PID:9040

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
163⤵
PID:8760

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
164⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
165⤵
PID:9148

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
166⤵
PID:8664

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
167⤵
PID:8716

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
168⤵
PID:8724

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
169⤵
PID:8480

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
170⤵
PID:8264

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
171⤵
PID:8924

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
172⤵
PID:9344

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
173⤵
PID:9528

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
174⤵
PID:9708

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
175⤵
PID:9880

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
176⤵
PID:10064

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
177⤵
PID:9148

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
178⤵
PID:9408

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
179⤵
PID:9344

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
180⤵
PID:7196

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
181⤵
PID:10116

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
182⤵
PID:8984

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
183⤵
PID:9552

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
184⤵
PID:9960

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
185⤵
PID:9832

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
186⤵
PID:9320

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
187⤵
PID:9344

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
188⤵
PID:9984

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
189⤵
PID:9600

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
190⤵
PID:10172

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
191⤵
PID:9532

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
192⤵
PID:9296

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
193⤵
PID:9988

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
194⤵
PID:9468

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
195⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
196⤵
PID:10352

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
197⤵
PID:10524

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
198⤵
PID:10704

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
199⤵
PID:10888

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
200⤵
PID:11068

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
201⤵
PID:11248

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
202⤵
PID:10408

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
203⤵
PID:10356

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
204⤵
PID:10880

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
205⤵
PID:11168

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
206⤵
PID:11236

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
207⤵
PID:10148

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
208⤵
PID:10984

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
209⤵
PID:10252

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
210⤵
PID:9996

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
211⤵
PID:9508

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
211⤵
PID:11136

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
210⤵
PID:10504

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
211⤵
- Modifies Windows Firewall
PID:4816

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
209⤵
- Adds Run key to start application
PID:9480

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
210⤵
PID:10936

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
208⤵
PID:10992

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
209⤵
- Modifies Windows Firewall
PID:10372

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
207⤵
- Adds Run key to start application
PID:10412

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
208⤵
- Modifies Windows Firewall
PID:11108

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
206⤵
- Drops autorun.inf file
PID:11072

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
207⤵
PID:10660

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
205⤵
- Adds Run key to start application
PID:11160

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
206⤵
- Modifies Windows Firewall
PID:10580

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
204⤵
PID:10768

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
205⤵
- Modifies Windows Firewall
PID:10260

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
203⤵
PID:9404

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
204⤵
PID:10512

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
202⤵
PID:10416

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
203⤵
PID:10304

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
201⤵
PID:11256

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
202⤵
- Modifies Windows Firewall
PID:10584

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
200⤵
- Adds Run key to start application
PID:11076

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
201⤵
PID:7224

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
199⤵
PID:10896

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
200⤵
PID:11188

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
198⤵
- Adds Run key to start application
PID:10712

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
199⤵
PID:11012

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
197⤵
PID:10532

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
198⤵
- Modifies Windows Firewall
PID:10832

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
196⤵
PID:10360

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
197⤵
PID:10644

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
195⤵
PID:9868

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
196⤵
- Modifies Windows Firewall
PID:10448

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
194⤵
PID:9320

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
195⤵
PID:10272

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
193⤵
- Drops autorun.inf file
PID:9472

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
194⤵
- Modifies Windows Firewall
PID:9508

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
192⤵
PID:8504

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
193⤵
PID:10140

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
191⤵
PID:9740

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
192⤵
- Modifies Windows Firewall
PID:7500

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
190⤵
PID:10084

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
191⤵
PID:9388

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
189⤵
- Drops autorun.inf file
PID:9460

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
190⤵
PID:9512

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
188⤵
- Drops autorun.inf file
PID:9704

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
189⤵
PID:9320

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
187⤵
PID:9900

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
188⤵
PID:9640

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
186⤵
PID:10056

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
187⤵
PID:10152

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
185⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:10216

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
186⤵
- Modifies Windows Firewall
PID:9532

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
184⤵
PID:9864

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
185⤵
- Modifies Windows Firewall
PID:9388

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
183⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:10188

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
184⤵
PID:10112

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
182⤵
- Adds Run key to start application
PID:1352

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
183⤵
- Modifies Windows Firewall
PID:9640

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
181⤵
PID:9652

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
182⤵
PID:9472

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
180⤵
PID:9944

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
181⤵
PID:10168

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
179⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:9560

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
180⤵
PID:9460

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
178⤵
PID:9420

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
179⤵
PID:9800

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
177⤵
- Drops autorun.inf file
PID:3236

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
178⤵
PID:9504

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
176⤵
PID:10076

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
177⤵
PID:9300

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
175⤵
- Adds Run key to start application
PID:9888

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
176⤵
PID:10180

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
174⤵
- Drops autorun.inf file
PID:9716

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
175⤵
PID:10004

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
173⤵
PID:9540

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
174⤵
- Modifies Windows Firewall
PID:9824

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
172⤵
- Adds Run key to start application
PID:9352

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
173⤵
PID:9644

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
171⤵
PID:8724

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
172⤵
PID:9460

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
170⤵
PID:1380

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
171⤵
- Modifies Windows Firewall
PID:9284

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
169⤵
- Adds Run key to start application
PID:9180

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
170⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
168⤵
PID:8356

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
169⤵
PID:9132

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
167⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:6196

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
168⤵
PID:8984

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
166⤵
- Adds Run key to start application
PID:6464

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
167⤵
- Modifies Windows Firewall
PID:8924

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
165⤵
PID:844

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
166⤵
- Modifies Windows Firewall
PID:8456

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
164⤵
- Drops autorun.inf file
PID:8624

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
165⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
163⤵
- Drops autorun.inf file
PID:8252

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
164⤵
- Modifies Windows Firewall
PID:8936

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
162⤵
- Adds Run key to start application
PID:9052

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
163⤵
PID:8356

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
161⤵
- Adds Run key to start application
PID:8632

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
162⤵
PID:8716

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
160⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:8464

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
161⤵
PID:8896

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
159⤵
PID:9212

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
160⤵
- Modifies Windows Firewall
PID:8656

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
158⤵
- Drops autorun.inf file
PID:9000

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
159⤵
PID:8336

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
157⤵
- Adds Run key to start application
PID:8796

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
158⤵
PID:9116

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
156⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:8584

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
157⤵
PID:8924

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
155⤵
PID:8388

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
156⤵
PID:8712

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
154⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:572

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
155⤵
PID:8504

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
153⤵
- Drops autorun.inf file
PID:2676

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
154⤵
PID:8296

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
152⤵
PID:8056

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
153⤵
- Modifies Windows Firewall
PID:1360

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
151⤵
- Adds Run key to start application
PID:3192

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
152⤵
PID:7860

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
150⤵
- Drops autorun.inf file
PID:2304

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
151⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
149⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:1540

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
150⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
148⤵
PID:7556

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
149⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
147⤵
PID:1708

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
148⤵
- Modifies Windows Firewall
PID:1512

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
146⤵
- Adds Run key to start application
PID:5512

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
147⤵
PID:7464

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
145⤵
PID:956

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
146⤵
- Modifies Windows Firewall
PID:1252

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
144⤵
PID:5584

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
145⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
143⤵
PID:5108

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
144⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
142⤵
- Drops autorun.inf file
PID:4184

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
143⤵
- Modifies Windows Firewall
PID:4156

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
141⤵
PID:3852

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
142⤵
- Modifies Windows Firewall
PID:2924

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
140⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:2000

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
141⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
139⤵
PID:2388

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
140⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
138⤵
PID:1632

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
139⤵
- Modifies Windows Firewall
PID:3076

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
137⤵
PID:7600

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
138⤵
- Modifies Windows Firewall
PID:1876

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
136⤵
- Adds Run key to start application
PID:2740

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
137⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
135⤵
- Adds Run key to start application
PID:7824

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
136⤵
PID:8180

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
134⤵
- Drops autorun.inf file
PID:2096

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
135⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
133⤵
PID:7808

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
134⤵
- Modifies Windows Firewall
PID:2980

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
132⤵
PID:7640

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
133⤵
- Modifies Windows Firewall
PID:7304

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
131⤵
- Drops autorun.inf file
PID:7744

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
132⤵
- Modifies Windows Firewall
PID:8128

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
130⤵
PID:7512

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
131⤵
- Modifies Windows Firewall
PID:7332

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
129⤵
- Drops autorun.inf file
PID:6416

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
130⤵
PID:8176

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
128⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:8140

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
129⤵
- Modifies Windows Firewall
PID:6400

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
127⤵
PID:7876

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
128⤵
PID:7364

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
126⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:7812

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
127⤵
PID:7004

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
125⤵
- Adds Run key to start application
PID:7612

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
126⤵
- Modifies Windows Firewall
PID:7968

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
124⤵
PID:6312

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
125⤵
PID:7712

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
123⤵
PID:8108

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
124⤵
PID:7484

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
122⤵
PID:7936

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
123⤵
PID:6500

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
121⤵
PID:7752

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
122⤵
- Modifies Windows Firewall
PID:8036

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
120⤵
PID:7568

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
121⤵
PID:7860

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
119⤵
- Drops autorun.inf file
PID:7388

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
120⤵
PID:7684

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
118⤵
- Drops autorun.inf file
PID:7160

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
119⤵
PID:7496

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
117⤵
- Drops autorun.inf file
PID:6544

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
118⤵
- Modifies Windows Firewall
PID:7320

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
116⤵
PID:6912

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
117⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
115⤵
PID:6616

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
116⤵
PID:6568

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
114⤵
PID:6600

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
115⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
113⤵
PID:7000

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
114⤵
- Modifies Windows Firewall
PID:7016

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
112⤵
PID:6724

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
113⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
111⤵
PID:6156

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
112⤵
PID:6840

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
110⤵
- Adds Run key to start application
PID:6844

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
111⤵
PID:5824

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
109⤵
- Adds Run key to start application
PID:6620

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
110⤵
PID:7056

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
108⤵
PID:5636

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
109⤵
PID:6780

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
107⤵
PID:6056

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
108⤵
PID:6416

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
106⤵
- Adds Run key to start application
PID:7024

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
107⤵
- Modifies Windows Firewall
PID:6316

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
105⤵
- Adds Run key to start application
PID:6816

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
106⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
104⤵
PID:6584

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
105⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
103⤵
- Drops autorun.inf file
PID:6404

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
104⤵
PID:6728

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
102⤵
PID:6240

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
103⤵
PID:6512

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
101⤵
- Adds Run key to start application
PID:5340

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
102⤵
PID:6328

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
100⤵
- Adds Run key to start application
PID:5452

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
101⤵
PID:6164

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
99⤵
PID:5792

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
100⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
98⤵
PID:4408

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
99⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
97⤵
- Adds Run key to start application
PID:6016

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
98⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
96⤵
PID:5524

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
97⤵
- Modifies Windows Firewall
PID:1312

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
95⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:5980

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
96⤵
- Modifies Windows Firewall
PID:6056

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
94⤵
PID:5884

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
95⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
93⤵
- Drops autorun.inf file
PID:5660

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
94⤵
- Modifies Windows Firewall
PID:1316

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
92⤵
PID:5432

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
93⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
91⤵
PID:5544

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
92⤵
PID:5984

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
90⤵
- Adds Run key to start application
PID:5308

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
91⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
89⤵
- Drops autorun.inf file
PID:6136

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
90⤵
PID:5812

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
88⤵
PID:5876

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
89⤵
- Modifies Windows Firewall
PID:2052

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
87⤵
- Drops autorun.inf file
PID:5536

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
88⤵
PID:5824

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
86⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:5784

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
87⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
85⤵
PID:6048

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
86⤵
PID:5296

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
84⤵
PID:5736

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
85⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
83⤵
PID:5596

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
84⤵
- Modifies Windows Firewall
PID:5440

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
82⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:5372

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
83⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
81⤵
- Adds Run key to start application
PID:4972

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
82⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
80⤵
PID:6020

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
81⤵
PID:5164

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
79⤵
PID:5852

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
80⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
78⤵
PID:5720

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
79⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
77⤵
PID:5564

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
78⤵
- Modifies Windows Firewall
PID:5756

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
76⤵
PID:5392

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
77⤵
- Modifies Windows Firewall
PID:5600

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
75⤵
PID:5176

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
76⤵
- Modifies Windows Firewall
PID:5432

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
74⤵
- Adds Run key to start application
PID:4920

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
75⤵
- Modifies Windows Firewall
PID:5244

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
73⤵
PID:4456

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
74⤵
- Modifies Windows Firewall
PID:1868

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
72⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:4600

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
73⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
71⤵
- Drops autorun.inf file
PID:4116

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
72⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
70⤵
PID:4400

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
71⤵
- Modifies Windows Firewall
PID:4408

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
69⤵
- Drops autorun.inf file
PID:4552

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
70⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
68⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
69⤵
- Modifies Windows Firewall
PID:5028

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
67⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
68⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
66⤵
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
67⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
65⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
66⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
64⤵
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
65⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
63⤵
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
64⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
62⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
63⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
61⤵
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
62⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
60⤵
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
61⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
59⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
60⤵
- Modifies Windows Firewall
PID:3860

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
58⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
59⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
57⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
58⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
56⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
57⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
55⤵
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
56⤵
- Modifies Windows Firewall
PID:3712

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
54⤵
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
55⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
53⤵
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
54⤵
- Modifies Windows Firewall
PID:4968

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
52⤵
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
53⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
51⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
52⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
50⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
51⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
49⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
50⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
48⤵
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
49⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
47⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
48⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
46⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
47⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
45⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
46⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
44⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
45⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
43⤵
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
44⤵
- Modifies Windows Firewall
PID:1704

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
42⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
43⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
41⤵
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
42⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
40⤵
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
41⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
39⤵
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
40⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
38⤵
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
39⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
37⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
38⤵
- Modifies Windows Firewall
PID:3792

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
36⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
37⤵
- Modifies Windows Firewall
PID:3520

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
35⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
36⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
34⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
35⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
34⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
32⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
33⤵
- Modifies Windows Firewall
PID:3532

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
32⤵
- Modifies Windows Firewall
PID:3192

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
30⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
31⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
29⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
30⤵
- Modifies Windows Firewall
PID:3920

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
28⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
29⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
28⤵
- Modifies Windows Firewall
PID:3584

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
26⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
27⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
26⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
25⤵
- Modifies Windows Firewall
PID:304

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
23⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
24⤵
- Modifies Windows Firewall
PID:2776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 800
24⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
22⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
23⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 616
23⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3276

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
22⤵
- Modifies Windows Firewall
PID:1672

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
21⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
19⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
20⤵
- Modifies Windows Firewall
PID:2272

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
18⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
19⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
18⤵
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 696
18⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2880

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
17⤵
PID:1748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 676
17⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2620

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
15⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
16⤵
- Modifies Windows Firewall
PID:1704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 772
16⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1852

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
15⤵
PID:908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 612
15⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1436

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 452
14⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2252

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
12⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
13⤵
- Modifies Windows Firewall
PID:1252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 772
13⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2116

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
11⤵
- Executes dropped EXE
PID:2348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 468
12⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2196

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 444
11⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2772

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 448
10⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2556

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
8⤵
- Executes dropped EXE
PID:1108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 448
9⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1760

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 444
8⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1296

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 448
7⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2812

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 448
6⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:700

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 448
5⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2804

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 448
4⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20251472931773782656-1576039694-531885778-692501751-1422621171-1444574897-50353409"
1⤵
PID:4004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2079740588-18395365641295477587-17943024362081457173-2008131164118830058518157908"
1⤵
PID:3680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11093675511230549848-197805417-1413792619214362119378401157529491967283475774"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1744492268-1928640524-18691968211849215655-1683947586-1396263606-1267571019-103912462"
1⤵
PID:4564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-54726564-2165595702016792488-1125458579-16935220891464725563-1995880768-186687075"
1⤵
PID:3532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "173174609715208034171396690531-1552161427-819058201198869920713689263401796367550"
1⤵
PID:4352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2673208131910477621213275801748242724869945208616299978-12455917541498486543"
1⤵
PID:4604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8011517989023413442030405265-109712483429032355-349664253764751223-276444024"
1⤵
PID:5712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1862083205-1805932713-1462415750-2107883219-10698618371823877204-988443451-595089234"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1739774443-572371062-2264099461268552392979803262174006169716380589361523458504"
1⤵
PID:5332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "874047844-640451798-1665826960-526485156-1405659934402390561439515853273316439"
1⤵
PID:6576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19262275782102372632-1525137531-4096869512031383586000786991947989786-161818545"
1⤵
PID:6164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "443425800-758414831904883201163872052796509932-7198047491919090882963446351"
1⤵
PID:5824

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:6780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-760392510576731457-151030939812351318239980704-1643105277-907486538807825790"
1⤵
PID:7684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "924606291746642801-9011195631452936139-547793322-862671979-2682112901933542804"
1⤵
PID:6568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18151632892056862026-1146832764814104979-1803719604420013956-535841284-1279642386"
1⤵
PID:7484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1123171608-18407187931744508634565390080915217986-8419869662089029461883117721"
1⤵
PID:7544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BlackData.dat
Filesize
3B

MD5
93cba07454f06a4a960172bbd6e2a435

SHA1
5397e0583f14f6c88de06b1ef28f460a1fb5b0ae

SHA256
85a39ab345d672ff8ca9b9c6876f3adcacf45ee7c1e2dbd2408fd338bd55e07e

SHA512
6b99acba1e4e469610f9227829648fa52e7ad463f22568f0a04188f2d465a585ba077f12d1a527674c338470e79665fd16e54f25553482cddd85845232d186f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
Filesize
462KB

MD5
a8a8d6f3b48466242959545235d1c9b6

SHA1
0c2d670dc3b3b07a2498756e1d46fd1fee53a621

SHA256
09d709640f6884d6b7e7501175cfdcc3724df07785c081c0e14b20cbcdf382ec

SHA512
09f08dd6026b2e24a05e20505723055deceffaba3d351dd49cdc934d038ef0796a3d8d481fe7734b3ec3ba80f4800994983441204dbc3f12baf4f637534a4796

Download Submit
C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe
Filesize
12.1MB

MD5
750015e08a9409c80cd3837daebb970a

SHA1
bfd1122f8c459862717b0b7a50b7216fc2573880

SHA256
3c413ee4b07c531c891ac1852d3d1b6a60bdc92e549e9cf4744d4fe85ebb5de2

SHA512
f35938eac84d6084d9239977462c965bab95924895cd2b73e501a7d7c2ff400aaeaefbdc3302ac8f8c13cd49e22d19e95ef530cf1cc10f79f6ab62653021e5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\firewall.exe
Filesize
40KB

MD5
085242fc50844dc41d1966e620d3e121

SHA1
5e9a343256313938468d5d4fb92e39c5ef6f8c91

SHA256
180b8e0169f2c89d3b4f34d3ee5b26f5578211068be74cf9c2fd194d8cda9b3d

SHA512
3341c74802aa98ce2bd7b15d2921d3082110c62ee6d82df784cb610c1594d905c82c6ae79cf43d76f98db7a8a4951686898ba1dddeb9615fca6480ac6bb7887b

Download Submit
C:\Users\Admin\Music\autorun.inf
Filesize
287B

MD5
15755ea8c0f620cfdaf9ada425e6b4c2

SHA1
868d9aca932d7a1a0d26ba19d613e34f3325a4eb

SHA256
3ae21c30b4273c6dfcc5841aaa18d776e53dd9dd9458051cb5457e25af4250fe

SHA512
6a44ff83fcf9d22fe1d06d3333be2bcfd45df0a9bc449cdf857d255c69d88497efc8c00c6a4ba383da6ebd7d422e87fea2e78ad62ec678fa3dc1aac29e34fae9

Download Submit
C:\Users\Admin\Pictures\autorun.inf
Filesize
299B

MD5
d7111cd7ccdee778d8261d4e03614a85

SHA1
f88c30e0403764b7384e3ef64cb54a1c2f5121f4

SHA256
6ad6f66d55b492f4f982a1bbe9ba99b20f3c77b93285cca02ca7843642336aa3

SHA512
15578fff5e7ee767edeaa4da93a66b2a634d8caa7a0a06223481fa6ab1c97c64f3871a36550406bc29f2e1262bb01e282d022cd55e9e7aa8ce9745fa3037c5b1

Download Submit
C:\Users\Admin\Videos\autorun.inf
Filesize
291B

MD5
5cda9292cfaacb554b5ddda7a5d8daa0

SHA1
05d78ca665e4186a6245c29c9b392e090a9d0937

SHA256
8cbbcbdb2618fb7eaf7e09ceceee1c9d0cbdf609e4f0fc9a6a2de71912ceb174

SHA512
825381e97b7a0458898f27a95584affa011d1038a380a3e19c81cb04a80bbb9924536fa6c53dbde073d371de2918ede9a0e2427b9227888ce208b6ac50accdba

Download Submit
memory/1032-12-0x000007FEF5363000-0x000007FEF5364000-memory.dmp

Filesize
4KB

Download
memory/1032-27-0x0000000000AE0000-0x00000000016FA000-memory.dmp

Filesize
12.1MB

Download
memory/1032-1226-0x000007FEF5363000-0x000007FEF5364000-memory.dmp

Filesize
4KB

Download