f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 12:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Size

10.1MB
MD5

4dabfeed4b250a3248714458ae370ca8
SHA1

6e215b2a20039a4dbde18579a1419a4eb10946ac
SHA256

eb23cbc820d2b8fdc0227b2e89274edf2671163cae40e0a9bb930b91c05ac3a9
SHA512

7ea826cf27da942ce2e9db4a800b3c247670a8fc260af8686d14c48583f38f14b935d5af282a3774a9811f0957ca7318dc883307254554e907f7cfb5f6419a4c
SSDEEP

196608:m6+0f/ylacMb5mCbClb12UK4RDx5gRIAL1xXPm68DwOHRR+kc4N4FmDdgW7NaREE:m0f/KacMbR2J2UKEdiRIAL1xXPCwkEn7

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6400	netsh.exe
2924	netsh.exe
7968	netsh.exe
9508	netsh.exe
2776	netsh.exe
2052	netsh.exe
1512	netsh.exe
1316	netsh.exe
11108	netsh.exe
4816	netsh.exe
7320	netsh.exe
10372	netsh.exe
10584	netsh.exe
7500	netsh.exe
7304	netsh.exe
4408	netsh.exe
5432	netsh.exe
3712	netsh.exe
3860	netsh.exe
1672	netsh.exe
9284	netsh.exe
9824	netsh.exe
10260	netsh.exe
304	netsh.exe
1868	netsh.exe
4156	netsh.exe
8656	netsh.exe
8456	netsh.exe
1704	netsh.exe
5600	netsh.exe
6316	netsh.exe
2980	netsh.exe
1876	netsh.exe
3076	netsh.exe
6056	netsh.exe
1312	netsh.exe
5440	netsh.exe
7016	netsh.exe
8128	netsh.exe
3792	netsh.exe
5756	netsh.exe
3520	netsh.exe
2272	netsh.exe
7332	netsh.exe
1252	netsh.exe
3920	netsh.exe
3532	netsh.exe
10448	netsh.exe
8936	netsh.exe
3584	netsh.exe
5028	netsh.exe
1360	netsh.exe
8924	netsh.exe
9388	netsh.exe
3192	netsh.exe
4968	netsh.exe
10832	netsh.exe
10580	netsh.exe
1704	netsh.exe
1252	netsh.exe
9532	netsh.exe
5244	netsh.exe
8036	netsh.exe
9640	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe

Executes dropped EXE 64 IoCs

pid	Process
1032	Venom Cracked.exe
1964	Majid Z Hacker.exe
2616	Majid Z Hacker.exe
2720	firewall.exe
2576	Majid Z Hacker.exe
2600	firewall.exe
2752	Majid Z Hacker.exe
2500	firewall.exe
2604	Majid Z Hacker.exe
2632	firewall.exe
2508	Majid Z Hacker.exe
2588	firewall.exe
2272	Majid Z Hacker.exe
1108	firewall.exe
2840	Majid Z Hacker.exe
2888	firewall.exe
2884	Majid Z Hacker.exe
2900	firewall.exe
1716	Majid Z Hacker.exe
2348	firewall.exe
1444	Majid Z Hacker.exe
2524	firewall.exe
3032	Majid Z Hacker.exe
1916	firewall.exe
2940	Majid Z Hacker.exe
1820	firewall.exe
484	Majid Z Hacker.exe
1796	firewall.exe
1976	Majid Z Hacker.exe
1784	firewall.exe
2056	firewall.exe
2012	Majid Z Hacker.exe
1596	Majid Z Hacker.exe
1592	firewall.exe
2064	firewall.exe
1968	Majid Z Hacker.exe
1932	Majid Z Hacker.exe
2660	firewall.exe
1312	Majid Z Hacker.exe
2764	firewall.exe
1436	Majid Z Hacker.exe
2728	firewall.exe
1588	Majid Z Hacker.exe
2932	firewall.exe
2412	Majid Z Hacker.exe
2680	firewall.exe
1628	Majid Z Hacker.exe
2012	firewall.exe
3200	Majid Z Hacker.exe
3208	firewall.exe
3364	Majid Z Hacker.exe
3372	firewall.exe
3468	Majid Z Hacker.exe
3492	firewall.exe
3676	Majid Z Hacker.exe
3728	firewall.exe
3844	Majid Z Hacker.exe
3900	firewall.exe
4012	Majid Z Hacker.exe
4068	firewall.exe
3152	Majid Z Hacker.exe
3228	firewall.exe
3252	Majid Z Hacker.exe
3332	firewall.exe

Loads dropped DLL 64 IoCs

pid	Process
2316	Venom Activated Cracked.exe
2316	Venom Activated Cracked.exe
1964	Majid Z Hacker.exe
1964	Majid Z Hacker.exe
2616	Majid Z Hacker.exe
2616	Majid Z Hacker.exe
2576	Majid Z Hacker.exe
2576	Majid Z Hacker.exe
2752	Majid Z Hacker.exe
2752	Majid Z Hacker.exe
2604	Majid Z Hacker.exe
2604	Majid Z Hacker.exe
2508	Majid Z Hacker.exe
2508	Majid Z Hacker.exe
2272	Majid Z Hacker.exe
2272	Majid Z Hacker.exe
2840	Majid Z Hacker.exe
2840	Majid Z Hacker.exe
2884	Majid Z Hacker.exe
2884	Majid Z Hacker.exe
1716	Majid Z Hacker.exe
1716	Majid Z Hacker.exe
1444	Majid Z Hacker.exe
1444	Majid Z Hacker.exe
3032	Majid Z Hacker.exe
3032	Majid Z Hacker.exe
2940	Majid Z Hacker.exe
1760	dw20.exe
2772	dw20.exe
2804	dw20.exe
2940	Majid Z Hacker.exe
700	dw20.exe
2556	dw20.exe
2036	dw20.exe
1296	dw20.exe
2812	dw20.exe
2196	dw20.exe
484	Majid Z Hacker.exe
484	Majid Z Hacker.exe
2252	dw20.exe
1976	Majid Z Hacker.exe
1976	Majid Z Hacker.exe
2012	Majid Z Hacker.exe
2012	Majid Z Hacker.exe
1596	Majid Z Hacker.exe
1596	Majid Z Hacker.exe
1968	Majid Z Hacker.exe
1968	Majid Z Hacker.exe
1932	Majid Z Hacker.exe
1932	Majid Z Hacker.exe
1312	Majid Z Hacker.exe
1312	Majid Z Hacker.exe
1436	Majid Z Hacker.exe
1436	Majid Z Hacker.exe
1588	Majid Z Hacker.exe
1588	Majid Z Hacker.exe
2412	Majid Z Hacker.exe
2412	Majid Z Hacker.exe
2620	dw20.exe
2116	dw20.exe
1852	dw20.exe
1436	dw20.exe
2880	dw20.exe
1628	Majid Z Hacker.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral11/files/0x0036000000014502-11.dat	nsis_installer_1
behavioral11/files/0x0036000000014502-11.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
1592	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe
2064	firewall.exe

Suspicious behavior: GetForegroundWindowSpam 16 IoCs

pid	Process
2036	dw20.exe
1296	dw20.exe
2812	dw20.exe
1760	dw20.exe
2804	dw20.exe
2772	dw20.exe
2556	dw20.exe
700	dw20.exe
2196	dw20.exe
2252	dw20.exe
2620	dw20.exe
1436	dw20.exe
2880	dw20.exe
2116	dw20.exe
1852	dw20.exe
3276	dw20.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	firewall.exe
Token: SeDebugPrivilege	1820	firewall.exe
Token: SeDebugPrivilege	1796	firewall.exe
Token: SeDebugPrivilege	1784	firewall.exe
Token: SeDebugPrivilege	2056	firewall.exe
Token: SeDebugPrivilege	1592	firewall.exe
Token: SeDebugPrivilege	2064	firewall.exe
Token: SeDebugPrivilege	2660	firewall.exe
Token: SeDebugPrivilege	2764	firewall.exe
Token: SeDebugPrivilege	2728	firewall.exe
Token: SeDebugPrivilege	2932	firewall.exe
Token: SeDebugPrivilege	2680	firewall.exe
Token: SeDebugPrivilege	1916	firewall.exe
Token: SeDebugPrivilege	2600	firewall.exe
Token: SeDebugPrivilege	2720	firewall.exe
Token: SeDebugPrivilege	2900	firewall.exe
Token: SeDebugPrivilege	2012	firewall.exe
Token: SeDebugPrivilege	3208	firewall.exe
Token: SeDebugPrivilege	3372	firewall.exe
Token: SeDebugPrivilege	3492	firewall.exe
Token: SeDebugPrivilege	3728	firewall.exe
Token: SeDebugPrivilege	3900	firewall.exe
Token: SeDebugPrivilege	4068	firewall.exe
Token: SeDebugPrivilege	3228	firewall.exe
Token: SeDebugPrivilege	3332	firewall.exe
Token: SeDebugPrivilege	3596	firewall.exe
Token: SeDebugPrivilege	3868	firewall.exe
Token: SeDebugPrivilege	3592	firewall.exe
Token: SeDebugPrivilege	2504	firewall.exe
Token: SeDebugPrivilege	3684	firewall.exe
Token: SeDebugPrivilege	3816	firewall.exe
Token: SeDebugPrivilege	3460	firewall.exe
Token: SeDebugPrivilege	2888	firewall.exe
Token: SeDebugPrivilege	2500	firewall.exe
Token: SeDebugPrivilege	2632	firewall.exe
Token: SeDebugPrivilege	2588	firewall.exe
Token: SeDebugPrivilege	3200	firewall.exe
Token: SeDebugPrivilege	4092	firewall.exe
Token: SeDebugPrivilege	3720	firewall.exe
Token: SeDebugPrivilege	3132	firewall.exe
Token: SeDebugPrivilege	3716	firewall.exe
Token: SeDebugPrivilege	3088	firewall.exe
Token: SeDebugPrivilege	892	firewall.exe
Token: SeDebugPrivilege	3324	firewall.exe
Token: SeDebugPrivilege	3360	firewall.exe
Token: SeDebugPrivilege	4268	firewall.exe
Token: SeDebugPrivilege	4436	firewall.exe
Token: SeDebugPrivilege	4608	firewall.exe
Token: SeDebugPrivilege	4768	firewall.exe
Token: SeDebugPrivilege	4892	firewall.exe
Token: SeDebugPrivilege	5060	firewall.exe
Token: SeDebugPrivilege	4160	firewall.exe
Token: SeDebugPrivilege	4396	firewall.exe
Token: SeDebugPrivilege	4148	firewall.exe
Token: SeDebugPrivilege	4836	firewall.exe
Token: SeDebugPrivilege	5092	firewall.exe
Token: SeDebugPrivilege	3928	firewall.exe
Token: SeDebugPrivilege	4568	firewall.exe
Token: SeDebugPrivilege	4476	firewall.exe
Token: SeDebugPrivilege	3704	firewall.exe
Token: SeDebugPrivilege	4428	firewall.exe
Token: SeDebugPrivilege	4332	firewall.exe
Token: SeDebugPrivilege	5080	firewall.exe
Token: SeDebugPrivilege	4724	firewall.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1032	2316	Venom Activated Cracked.exe	28
PID 2316 wrote to memory of 1032	2316	Venom Activated Cracked.exe	28
PID 2316 wrote to memory of 1032	2316	Venom Activated Cracked.exe	28
PID 2316 wrote to memory of 1032	2316	Venom Activated Cracked.exe	28
PID 2316 wrote to memory of 1964	2316	Venom Activated Cracked.exe	29
PID 2316 wrote to memory of 1964	2316	Venom Activated Cracked.exe	29
PID 2316 wrote to memory of 1964	2316	Venom Activated Cracked.exe	29
PID 2316 wrote to memory of 1964	2316	Venom Activated Cracked.exe	29
PID 1964 wrote to memory of 2616	1964	Majid Z Hacker.exe	30
PID 1964 wrote to memory of 2616	1964	Majid Z Hacker.exe	30
PID 1964 wrote to memory of 2616	1964	Majid Z Hacker.exe	30
PID 1964 wrote to memory of 2616	1964	Majid Z Hacker.exe	30
PID 1964 wrote to memory of 2720	1964	Majid Z Hacker.exe	31
PID 1964 wrote to memory of 2720	1964	Majid Z Hacker.exe	31
PID 1964 wrote to memory of 2720	1964	Majid Z Hacker.exe	31
PID 1964 wrote to memory of 2720	1964	Majid Z Hacker.exe	31
PID 2616 wrote to memory of 2576	2616	Majid Z Hacker.exe	32
PID 2616 wrote to memory of 2576	2616	Majid Z Hacker.exe	32
PID 2616 wrote to memory of 2576	2616	Majid Z Hacker.exe	32
PID 2616 wrote to memory of 2576	2616	Majid Z Hacker.exe	32
PID 2616 wrote to memory of 2600	2616	Majid Z Hacker.exe	33
PID 2616 wrote to memory of 2600	2616	Majid Z Hacker.exe	33
PID 2616 wrote to memory of 2600	2616	Majid Z Hacker.exe	33
PID 2616 wrote to memory of 2600	2616	Majid Z Hacker.exe	33
PID 2576 wrote to memory of 2752	2576	Majid Z Hacker.exe	34
PID 2576 wrote to memory of 2752	2576	Majid Z Hacker.exe	34
PID 2576 wrote to memory of 2752	2576	Majid Z Hacker.exe	34
PID 2576 wrote to memory of 2752	2576	Majid Z Hacker.exe	34
PID 2576 wrote to memory of 2500	2576	Majid Z Hacker.exe	35
PID 2576 wrote to memory of 2500	2576	Majid Z Hacker.exe	35
PID 2576 wrote to memory of 2500	2576	Majid Z Hacker.exe	35
PID 2576 wrote to memory of 2500	2576	Majid Z Hacker.exe	35
PID 2752 wrote to memory of 2604	2752	Majid Z Hacker.exe	36
PID 2752 wrote to memory of 2604	2752	Majid Z Hacker.exe	36
PID 2752 wrote to memory of 2604	2752	Majid Z Hacker.exe	36
PID 2752 wrote to memory of 2604	2752	Majid Z Hacker.exe	36
PID 2752 wrote to memory of 2632	2752	Majid Z Hacker.exe	37
PID 2752 wrote to memory of 2632	2752	Majid Z Hacker.exe	37
PID 2752 wrote to memory of 2632	2752	Majid Z Hacker.exe	37
PID 2752 wrote to memory of 2632	2752	Majid Z Hacker.exe	37
PID 2604 wrote to memory of 2508	2604	Majid Z Hacker.exe	38
PID 2604 wrote to memory of 2508	2604	Majid Z Hacker.exe	38
PID 2604 wrote to memory of 2508	2604	Majid Z Hacker.exe	38
PID 2604 wrote to memory of 2508	2604	Majid Z Hacker.exe	38
PID 2604 wrote to memory of 2588	2604	Majid Z Hacker.exe	39
PID 2604 wrote to memory of 2588	2604	Majid Z Hacker.exe	39
PID 2604 wrote to memory of 2588	2604	Majid Z Hacker.exe	39
PID 2604 wrote to memory of 2588	2604	Majid Z Hacker.exe	39
PID 2508 wrote to memory of 2272	2508	Majid Z Hacker.exe	88
PID 2508 wrote to memory of 2272	2508	Majid Z Hacker.exe	88
PID 2508 wrote to memory of 2272	2508	Majid Z Hacker.exe	88
PID 2508 wrote to memory of 2272	2508	Majid Z Hacker.exe	88
PID 2508 wrote to memory of 1108	2508	Majid Z Hacker.exe	41
PID 2508 wrote to memory of 1108	2508	Majid Z Hacker.exe	41
PID 2508 wrote to memory of 1108	2508	Majid Z Hacker.exe	41
PID 2508 wrote to memory of 1108	2508	Majid Z Hacker.exe	41
PID 2272 wrote to memory of 2840	2272	Majid Z Hacker.exe	42
PID 2272 wrote to memory of 2840	2272	Majid Z Hacker.exe	42
PID 2272 wrote to memory of 2840	2272	Majid Z Hacker.exe	42
PID 2272 wrote to memory of 2840	2272	Majid Z Hacker.exe	42
PID 2272 wrote to memory of 2888	2272	Majid Z Hacker.exe	43
PID 2272 wrote to memory of 2888	2272	Majid Z Hacker.exe	43
PID 2272 wrote to memory of 2888	2272	Majid Z Hacker.exe	43
PID 2272 wrote to memory of 2888	2272	Majid Z Hacker.exe	43

C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Activated Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Activated Cracked.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe
  "C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
  "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
    "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
      "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        26⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        27⤵
        Executes dropped EXE
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        28⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        29⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        30⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        31⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        32⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        33⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        34⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        35⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        36⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        37⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        38⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        39⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        40⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        41⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        42⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        43⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        44⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        45⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        46⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        47⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        48⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        49⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        50⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        51⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        52⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        53⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        54⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        55⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        56⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        57⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        58⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        59⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        60⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        61⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        62⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        63⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        64⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        65⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        66⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        67⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        68⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        69⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        70⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        71⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        72⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        73⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        74⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        75⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        76⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        77⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        78⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        79⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        80⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        81⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        82⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        83⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        84⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        85⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        86⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        87⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        88⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        89⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        90⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        91⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        92⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        93⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        94⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        95⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        96⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        97⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        98⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        99⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        100⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        101⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        102⤵
        
        PID:6232
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        103⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        104⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        105⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        106⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        107⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        108⤵
        
        PID:6388
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        109⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        110⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        111⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        112⤵
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        113⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        114⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        115⤵
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        116⤵
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        117⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        118⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        119⤵
        
        PID:7376
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        120⤵
        
        PID:7560
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        121⤵
        
        PID:7744
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        122⤵
        
        PID:7924
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        123⤵
        
        PID:8100
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        124⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        125⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        126⤵
        
        PID:7732
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        127⤵
        
        PID:7544
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        128⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        129⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        130⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        131⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        132⤵
        
        PID:7844
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        133⤵
        
        PID:7992
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        134⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        135⤵
        
        PID:6500
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        136⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        137⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        138⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        139⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        140⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        141⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        142⤵
        
        PID:7864
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        143⤵
        
        PID:7960
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        144⤵
        
        PID:6500
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        145⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        146⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        147⤵
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        148⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        149⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        150⤵
        
        PID:8148
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        151⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        152⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        153⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        154⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        155⤵
        
        PID:8380
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        156⤵
        
        PID:8576
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        157⤵
        
        PID:8784
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        158⤵
        
        PID:8992
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        159⤵
        
        PID:9200
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        160⤵
        
        PID:8456
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        161⤵
        
        PID:8384
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        162⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        163⤵
        
        PID:8760
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        164⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        165⤵
        
        PID:9148
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        166⤵
        
        PID:8664
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        167⤵
        
        PID:8716
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        168⤵
        
        PID:8724
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        169⤵
        
        PID:8480
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        170⤵
        
        PID:8264
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        171⤵
        
        PID:8924
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        172⤵
        
        PID:9344
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        173⤵
        
        PID:9528
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        174⤵
        
        PID:9708
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        175⤵
        
        PID:9880
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        176⤵
        
        PID:10064
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        177⤵
        
        PID:9148
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        178⤵
        
        PID:9408
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        179⤵
        
        PID:9344
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        180⤵
        
        PID:7196
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        181⤵
        
        PID:10116
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        182⤵
        
        PID:8984
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        183⤵
        
        PID:9552
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        184⤵
        
        PID:9960
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        185⤵
        
        PID:9832
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        186⤵
        
        PID:9320
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        187⤵
        
        PID:9344
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        188⤵
        
        PID:9984
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        189⤵
        
        PID:9600
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        190⤵
        
        PID:10172
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        191⤵
        
        PID:9532
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        192⤵
        
        PID:9296
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        193⤵
        
        PID:9988
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        194⤵
        
        PID:9468
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        195⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        196⤵
        
        PID:10352
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        197⤵
        
        PID:10524
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        198⤵
        
        PID:10704
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        199⤵
        
        PID:10888
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        200⤵
        
        PID:11068
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        201⤵
        
        PID:11248
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        202⤵
        
        PID:10408
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        203⤵
        
        PID:10356
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        204⤵
        
        PID:10880
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        205⤵
        
        PID:11168
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        206⤵
        
        PID:11236
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        207⤵
        
        PID:10148
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        208⤵
        
        PID:10984
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        209⤵
        
        PID:10252
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        210⤵
        
        PID:9996
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        211⤵
        
        PID:9508
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        211⤵
        
        PID:11136
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        210⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        211⤵
        Modifies Windows Firewall
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        209⤵
        Adds Run key to start application
        
        PID:9480
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        210⤵
        
        PID:10936
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        208⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        209⤵
        Modifies Windows Firewall
        
        PID:10372
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        207⤵
        Adds Run key to start application
        
        PID:10412
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        208⤵
        Modifies Windows Firewall
        
        PID:11108
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        206⤵
        Drops autorun.inf file
        
        PID:11072
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        207⤵
        
        PID:10660
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        205⤵
        Adds Run key to start application
        
        PID:11160
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        206⤵
        Modifies Windows Firewall
        
        PID:10580
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        204⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        205⤵
        Modifies Windows Firewall
        
        PID:10260
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        203⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        204⤵
        
        PID:10512
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        202⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        203⤵
        
        PID:10304
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        201⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        202⤵
        Modifies Windows Firewall
        
        PID:10584
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        200⤵
        Adds Run key to start application
        
        PID:11076
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        201⤵
        
        PID:7224
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        199⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        200⤵
        
        PID:11188
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        198⤵
        Adds Run key to start application
        
        PID:10712
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        199⤵
        
        PID:11012
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        197⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        198⤵
        Modifies Windows Firewall
        
        PID:10832
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        196⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        197⤵
        
        PID:10644
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        195⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        196⤵
        Modifies Windows Firewall
        
        PID:10448
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        194⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        195⤵
        
        PID:10272
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        193⤵
        Drops autorun.inf file
        
        PID:9472
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        194⤵
        Modifies Windows Firewall
        
        PID:9508
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        192⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        193⤵
        
        PID:10140
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        191⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        192⤵
        Modifies Windows Firewall
        
        PID:7500
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        190⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        191⤵
        
        PID:9388
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        189⤵
        Drops autorun.inf file
        
        PID:9460
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        190⤵
        
        PID:9512
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        188⤵
        Drops autorun.inf file
        
        PID:9704
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        189⤵
        
        PID:9320
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        187⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        188⤵
        
        PID:9640
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        186⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        187⤵
        
        PID:10152
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        185⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:10216
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        186⤵
        Modifies Windows Firewall
        
        PID:9532
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        184⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        185⤵
        Modifies Windows Firewall
        
        PID:9388
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        183⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:10188
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        184⤵
        
        PID:10112
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        182⤵
        Adds Run key to start application
        
        PID:1352
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        183⤵
        Modifies Windows Firewall
        
        PID:9640
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        181⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        182⤵
        
        PID:9472
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        180⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        181⤵
        
        PID:10168
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        179⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:9560
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        180⤵
        
        PID:9460
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        178⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        179⤵
        
        PID:9800
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        177⤵
        Drops autorun.inf file
        
        PID:3236
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        178⤵
        
        PID:9504
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        176⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        177⤵
        
        PID:9300
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        175⤵
        Adds Run key to start application
        
        PID:9888
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        176⤵
        
        PID:10180
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        174⤵
        Drops autorun.inf file
        
        PID:9716
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        175⤵
        
        PID:10004
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        173⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        174⤵
        Modifies Windows Firewall
        
        PID:9824
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        172⤵
        Adds Run key to start application
        
        PID:9352
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        173⤵
        
        PID:9644
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        171⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        172⤵
        
        PID:9460
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        170⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        171⤵
        Modifies Windows Firewall
        
        PID:9284
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        169⤵
        Adds Run key to start application
        
        PID:9180
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        170⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        168⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        169⤵
        
        PID:9132
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        167⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:6196
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        168⤵
        
        PID:8984
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        166⤵
        Adds Run key to start application
        
        PID:6464
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        167⤵
        Modifies Windows Firewall
        
        PID:8924
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        165⤵
        
        PID:844
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        166⤵
        Modifies Windows Firewall
        
        PID:8456
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        164⤵
        Drops autorun.inf file
        
        PID:8624
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        165⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        163⤵
        Drops autorun.inf file
        
        PID:8252
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        164⤵
        Modifies Windows Firewall
        
        PID:8936
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        162⤵
        Adds Run key to start application
        
        PID:9052
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        163⤵
        
        PID:8356
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        161⤵
        Adds Run key to start application
        
        PID:8632
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        162⤵
        
        PID:8716
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        160⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:8464
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        161⤵
        
        PID:8896
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        159⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        160⤵
        Modifies Windows Firewall
        
        PID:8656
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        158⤵
        Drops autorun.inf file
        
        PID:9000
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        159⤵
        
        PID:8336
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        157⤵
        Adds Run key to start application
        
        PID:8796
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        158⤵
        
        PID:9116
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        156⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:8584
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        157⤵
        
        PID:8924
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        155⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        156⤵
        
        PID:8712
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        154⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:572
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        155⤵
        
        PID:8504
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        153⤵
        Drops autorun.inf file
        
        PID:2676
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        154⤵
        
        PID:8296
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        152⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        153⤵
        Modifies Windows Firewall
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        151⤵
        Adds Run key to start application
        
        PID:3192
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        152⤵
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        150⤵
        Drops autorun.inf file
        
        PID:2304
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        151⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        149⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:1540
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        150⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        148⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        149⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        147⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        148⤵
        Modifies Windows Firewall
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        146⤵
        Adds Run key to start application
        
        PID:5512
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        147⤵
        
        PID:7464
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        145⤵
        
        PID:956
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        146⤵
        Modifies Windows Firewall
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        144⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        145⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        143⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        144⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        142⤵
        Drops autorun.inf file
        
        PID:4184
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        143⤵
        Modifies Windows Firewall
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        141⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        142⤵
        Modifies Windows Firewall
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        140⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:2000
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        141⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        139⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        140⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        138⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        139⤵
        Modifies Windows Firewall
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        137⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        138⤵
        Modifies Windows Firewall
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        136⤵
        Adds Run key to start application
        
        PID:2740
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        137⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        135⤵
        Adds Run key to start application
        
        PID:7824
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        136⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        134⤵
        Drops autorun.inf file
        
        PID:2096
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        135⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        133⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        134⤵
        Modifies Windows Firewall
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        132⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        133⤵
        Modifies Windows Firewall
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        131⤵
        Drops autorun.inf file
        
        PID:7744
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        132⤵
        Modifies Windows Firewall
        
        PID:8128
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        130⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        131⤵
        Modifies Windows Firewall
        
        PID:7332
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        129⤵
        Drops autorun.inf file
        
        PID:6416
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        130⤵
        
        PID:8176
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        128⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:8140
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        129⤵
        Modifies Windows Firewall
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        127⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        128⤵
        
        PID:7364
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        126⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:7812
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        127⤵
        
        PID:7004
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        125⤵
        Adds Run key to start application
        
        PID:7612
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        126⤵
        Modifies Windows Firewall
        
        PID:7968
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        124⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        125⤵
        
        PID:7712
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        123⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        124⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        122⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        123⤵
        
        PID:6500
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        121⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        122⤵
        Modifies Windows Firewall
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        120⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        121⤵
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        119⤵
        Drops autorun.inf file
        
        PID:7388
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        120⤵
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        118⤵
        Drops autorun.inf file
        
        PID:7160
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        119⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        117⤵
        Drops autorun.inf file
        
        PID:6544
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        118⤵
        Modifies Windows Firewall
        
        PID:7320
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        116⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        117⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        115⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        116⤵
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        114⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        115⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        113⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        114⤵
        Modifies Windows Firewall
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        112⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        113⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        111⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        112⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        110⤵
        Adds Run key to start application
        
        PID:6844
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        111⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        109⤵
        Adds Run key to start application
        
        PID:6620
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        110⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        108⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        109⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        107⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        108⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        106⤵
        Adds Run key to start application
        
        PID:7024
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        107⤵
        Modifies Windows Firewall
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        105⤵
        Adds Run key to start application
        
        PID:6816
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        106⤵
        
        PID:7144
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        104⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        105⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        103⤵
        Drops autorun.inf file
        
        PID:6404
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        104⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        102⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        103⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        101⤵
        Adds Run key to start application
        
        PID:5340
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        102⤵
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        100⤵
        Adds Run key to start application
        
        PID:5452
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        101⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        99⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        100⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        98⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        99⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        97⤵
        Adds Run key to start application
        
        PID:6016
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        98⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        96⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        97⤵
        Modifies Windows Firewall
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        95⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:5980
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        96⤵
        Modifies Windows Firewall
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        94⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        95⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        93⤵
        Drops autorun.inf file
        
        PID:5660
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        94⤵
        Modifies Windows Firewall
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        92⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        93⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        91⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        92⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        90⤵
        Adds Run key to start application
        
        PID:5308
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        91⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        89⤵
        Drops autorun.inf file
        
        PID:6136
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        90⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        88⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        89⤵
        Modifies Windows Firewall
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        87⤵
        Drops autorun.inf file
        
        PID:5536
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        88⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        86⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:5784
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        87⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        85⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        86⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        84⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        85⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        83⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        84⤵
        Modifies Windows Firewall
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        82⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:5372
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        83⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        81⤵
        Adds Run key to start application
        
        PID:4972
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        82⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        80⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        81⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        79⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        80⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        78⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        79⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        77⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        78⤵
        Modifies Windows Firewall
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        76⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        77⤵
        Modifies Windows Firewall
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        75⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        76⤵
        Modifies Windows Firewall
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        74⤵
        Adds Run key to start application
        
        PID:4920
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        75⤵
        Modifies Windows Firewall
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        73⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        74⤵
        Modifies Windows Firewall
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        72⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:4600
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        73⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        71⤵
        Drops autorun.inf file
        
        PID:4116
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        72⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        70⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        71⤵
        Modifies Windows Firewall
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        69⤵
        Drops autorun.inf file
        
        PID:4552
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        70⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        68⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        69⤵
        Modifies Windows Firewall
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        67⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        68⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        66⤵
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        67⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        65⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        66⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        64⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        65⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        63⤵
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        64⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        62⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        63⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        61⤵
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        62⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        60⤵
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        61⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        59⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        60⤵
        Modifies Windows Firewall
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        58⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        59⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        57⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        58⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        57⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        55⤵
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        56⤵
        Modifies Windows Firewall
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        54⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        55⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        53⤵
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        54⤵
        Modifies Windows Firewall
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        52⤵
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        53⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        51⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        52⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        51⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        50⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        48⤵
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        49⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        48⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        46⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        47⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        45⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        46⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        44⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        45⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        43⤵
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        44⤵
        Modifies Windows Firewall
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        43⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        41⤵
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        42⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        40⤵
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        41⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        39⤵
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        40⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        38⤵
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        39⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        38⤵
        Modifies Windows Firewall
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        36⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        37⤵
        Modifies Windows Firewall
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        36⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        35⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        34⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        33⤵
        Modifies Windows Firewall
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        32⤵
        Modifies Windows Firewall
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        31⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        30⤵
        Modifies Windows Firewall
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        28⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        29⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        28⤵
        Modifies Windows Firewall
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        27⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        26⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        25⤵
        Modifies Windows Firewall
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        24⤵
        Modifies Windows Firewall
        
        PID:2776
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 800
        24⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        23⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 616
        23⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        22⤵
        Modifies Windows Firewall
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        21⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        19⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        20⤵
        Modifies Windows Firewall
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        19⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        18⤵
        
        PID:2616
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 696
        18⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        17⤵
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 676
        17⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        16⤵
        Modifies Windows Firewall
        
        PID:1704
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 772
        16⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        15⤵
        
        PID:908
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 612
        15⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 452
        14⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        13⤵
        Modifies Windows Firewall
        
        PID:1252
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 772
        13⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        11⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 468
        12⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 444
        11⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 448
        10⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        8⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 448
        9⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 444
        8⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1296
      - C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 448
        7⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 448
        6⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:700
  - - C:\Users\Admin\AppData\Local\Temp\firewall.exe
      "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2600
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 448
        5⤵
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2804
- - C:\Users\Admin\AppData\Local\Temp\firewall.exe
    "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 448
      4⤵
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20251472931773782656-1576039694-531885778-692501751-1422621171-1444574897-50353409"
1⤵
PID:4004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2079740588-18395365641295477587-17943024362081457173-2008131164118830058518157908"
1⤵
PID:3680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11093675511230549848-197805417-1413792619214362119378401157529491967283475774"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1744492268-1928640524-18691968211849215655-1683947586-1396263606-1267571019-103912462"
1⤵
PID:4564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-54726564-2165595702016792488-1125458579-16935220891464725563-1995880768-186687075"
1⤵
PID:3532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "173174609715208034171396690531-1552161427-819058201198869920713689263401796367550"
1⤵
PID:4352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2673208131910477621213275801748242724869945208616299978-12455917541498486543"
1⤵
PID:4604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8011517989023413442030405265-109712483429032355-349664253764751223-276444024"
1⤵
PID:5712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1862083205-1805932713-1462415750-2107883219-10698618371823877204-988443451-595089234"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1739774443-572371062-2264099461268552392979803262174006169716380589361523458504"
1⤵
PID:5332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "874047844-640451798-1665826960-526485156-1405659934402390561439515853273316439"
1⤵
PID:6576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19262275782102372632-1525137531-4096869512031383586000786991947989786-161818545"
1⤵
PID:6164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "443425800-758414831904883201163872052796509932-7198047491919090882963446351"
1⤵
PID:5824

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:6780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-760392510576731457-151030939812351318239980704-1643105277-907486538807825790"
1⤵
PID:7684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "924606291746642801-9011195631452936139-547793322-862671979-2682112901933542804"
1⤵
PID:6568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18151632892056862026-1146832764814104979-1803719604420013956-535841284-1279642386"
1⤵
PID:7484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1123171608-18407187931744508634565390080915217986-8419869662089029461883117721"
1⤵
PID:7544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BlackData.dat

Filesize
3B

MD5
93cba07454f06a4a960172bbd6e2a435

SHA1
5397e0583f14f6c88de06b1ef28f460a1fb5b0ae

SHA256
85a39ab345d672ff8ca9b9c6876f3adcacf45ee7c1e2dbd2408fd338bd55e07e

SHA512
6b99acba1e4e469610f9227829648fa52e7ad463f22568f0a04188f2d465a585ba077f12d1a527674c338470e79665fd16e54f25553482cddd85845232d186f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe

Filesize
462KB

MD5
a8a8d6f3b48466242959545235d1c9b6

SHA1
0c2d670dc3b3b07a2498756e1d46fd1fee53a621

SHA256
09d709640f6884d6b7e7501175cfdcc3724df07785c081c0e14b20cbcdf382ec

SHA512
09f08dd6026b2e24a05e20505723055deceffaba3d351dd49cdc934d038ef0796a3d8d481fe7734b3ec3ba80f4800994983441204dbc3f12baf4f637534a4796

Download Submit
C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe

Filesize
12.1MB

MD5
750015e08a9409c80cd3837daebb970a

SHA1
bfd1122f8c459862717b0b7a50b7216fc2573880

SHA256
3c413ee4b07c531c891ac1852d3d1b6a60bdc92e549e9cf4744d4fe85ebb5de2

SHA512
f35938eac84d6084d9239977462c965bab95924895cd2b73e501a7d7c2ff400aaeaefbdc3302ac8f8c13cd49e22d19e95ef530cf1cc10f79f6ab62653021e5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\firewall.exe

Filesize
40KB

MD5
085242fc50844dc41d1966e620d3e121

SHA1
5e9a343256313938468d5d4fb92e39c5ef6f8c91

SHA256
180b8e0169f2c89d3b4f34d3ee5b26f5578211068be74cf9c2fd194d8cda9b3d

SHA512
3341c74802aa98ce2bd7b15d2921d3082110c62ee6d82df784cb610c1594d905c82c6ae79cf43d76f98db7a8a4951686898ba1dddeb9615fca6480ac6bb7887b

Download Submit
C:\Users\Admin\Music\autorun.inf

Filesize
287B

MD5
15755ea8c0f620cfdaf9ada425e6b4c2

SHA1
868d9aca932d7a1a0d26ba19d613e34f3325a4eb

SHA256
3ae21c30b4273c6dfcc5841aaa18d776e53dd9dd9458051cb5457e25af4250fe

SHA512
6a44ff83fcf9d22fe1d06d3333be2bcfd45df0a9bc449cdf857d255c69d88497efc8c00c6a4ba383da6ebd7d422e87fea2e78ad62ec678fa3dc1aac29e34fae9

Download Submit
C:\Users\Admin\Pictures\autorun.inf

Filesize
299B

MD5
d7111cd7ccdee778d8261d4e03614a85

SHA1
f88c30e0403764b7384e3ef64cb54a1c2f5121f4

SHA256
6ad6f66d55b492f4f982a1bbe9ba99b20f3c77b93285cca02ca7843642336aa3

SHA512
15578fff5e7ee767edeaa4da93a66b2a634d8caa7a0a06223481fa6ab1c97c64f3871a36550406bc29f2e1262bb01e282d022cd55e9e7aa8ce9745fa3037c5b1

Download Submit
C:\Users\Admin\Videos\autorun.inf

Filesize
291B

MD5
5cda9292cfaacb554b5ddda7a5d8daa0

SHA1
05d78ca665e4186a6245c29c9b392e090a9d0937

SHA256
8cbbcbdb2618fb7eaf7e09ceceee1c9d0cbdf609e4f0fc9a6a2de71912ceb174

SHA512
825381e97b7a0458898f27a95584affa011d1038a380a3e19c81cb04a80bbb9924536fa6c53dbde073d371de2918ede9a0e2427b9227888ce208b6ac50accdba

Download Submit
memory/1032-12-0x000007FEF5363000-0x000007FEF5364000-memory.dmp

Filesize
4KB

Download
memory/1032-27-0x0000000000AE0000-0x00000000016FA000-memory.dmp

Filesize
12.1MB

Download
memory/1032-1226-0x000007FEF5363000-0x000007FEF5364000-memory.dmp

Filesize
4KB

Download