f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

Analysis

max time kernel
98s
max time network
151s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Majid Z Hacker.exe
Size

462KB
MD5

a8a8d6f3b48466242959545235d1c9b6
SHA1

0c2d670dc3b3b07a2498756e1d46fd1fee53a621
SHA256

09d709640f6884d6b7e7501175cfdcc3724df07785c081c0e14b20cbcdf382ec
SHA512

09f08dd6026b2e24a05e20505723055deceffaba3d351dd49cdc934d038ef0796a3d8d481fe7734b3ec3ba80f4800994983441204dbc3f12baf4f637534a4796
SSDEEP

12288:6rs81bE0LfUk6XLbwxMY4R/3CDOpeYYhN7zjYC/M:6H5rh6XPbYuCDOpmPzjZM

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3452	netsh.exe
9056	netsh.exe
9524	netsh.exe
7600	netsh.exe
7956	netsh.exe
696	netsh.exe
8348	netsh.exe
9896	netsh.exe
9940	netsh.exe
10572	netsh.exe
2140	netsh.exe
11620	netsh.exe
5132	netsh.exe
9976	netsh.exe
7984	netsh.exe
2312	netsh.exe
9684	netsh.exe
11636	netsh.exe
5864	netsh.exe
7124	netsh.exe
7884	netsh.exe
13048	netsh.exe
3664	netsh.exe
3944	netsh.exe
6324	netsh.exe
10728	netsh.exe
10324	netsh.exe
11268	netsh.exe
5616	netsh.exe
5964	netsh.exe
8680	netsh.exe
9036	netsh.exe
6192	netsh.exe
11532	netsh.exe
12292	netsh.exe
4676	netsh.exe
6756	netsh.exe
8576	netsh.exe
7944	netsh.exe
9828	netsh.exe
3136	netsh.exe
6180	netsh.exe
2516	netsh.exe
5900	netsh.exe
6384	netsh.exe
8136	netsh.exe
4560	netsh.exe
4280	netsh.exe
5408	netsh.exe
9828	netsh.exe
11244	netsh.exe
12304	netsh.exe
5752	netsh.exe
6176	netsh.exe
10392	netsh.exe
6556	netsh.exe
6320	netsh.exe
7236	netsh.exe
7092	netsh.exe
9768	netsh.exe
11460	netsh.exe
804	netsh.exe
5900	netsh.exe
1312	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe

Executes dropped EXE 64 IoCs

pid	Process
2884	firewall.exe
2916	firewall.exe
2672	firewall.exe
2444	firewall.exe
2604	firewall.exe
1036	firewall.exe
1828	firewall.exe
2404	firewall.exe
784	firewall.exe
1716	firewall.exe
2628	firewall.exe
1968	firewall.exe
360	firewall.exe
2188	firewall.exe
2596	firewall.exe
1308	firewall.exe
304	firewall.exe
1668	firewall.exe
592	firewall.exe
1552	firewall.exe
3296	firewall.exe
3496	firewall.exe
3636	firewall.exe
3772	firewall.exe
3992	firewall.exe
3140	firewall.exe
1776	firewall.exe
3256	firewall.exe
3868	firewall.exe
4040	firewall.exe
3132	firewall.exe
3404	firewall.exe
3104	firewall.exe
1952	firewall.exe
3356	firewall.exe
3240	firewall.exe
3560	firewall.exe
3704	firewall.exe
3972	firewall.exe
3844	firewall.exe
2016	firewall.exe
3700	firewall.exe
3920	firewall.exe
3740	firewall.exe
3544	firewall.exe
4192	firewall.exe
4360	firewall.exe
4528	firewall.exe
4696	firewall.exe
4864	firewall.exe
5028	firewall.exe
4124	firewall.exe
4400	firewall.exe
4564	firewall.exe
4712	firewall.exe
4892	firewall.exe
4784	firewall.exe
4600	firewall.exe
4648	firewall.exe
4624	firewall.exe
4488	firewall.exe
4928	firewall.exe
5024	firewall.exe
4756	firewall.exe

Loads dropped DLL 64 IoCs

pid	Process
2764	Majid Z Hacker.exe
2836	Majid Z Hacker.exe
2060	Majid Z Hacker.exe
2640	Majid Z Hacker.exe
2568	Majid Z Hacker.exe
2624	Majid Z Hacker.exe
2236	Majid Z Hacker.exe
2424	Majid Z Hacker.exe
2032	dw20.exe
772	dw20.exe
2856	dw20.exe
320	dw20.exe
2220	Majid Z Hacker.exe
680	Majid Z Hacker.exe
964	dw20.exe
1568	Majid Z Hacker.exe
2800	dw20.exe
2420	Majid Z Hacker.exe
2228	Majid Z Hacker.exe
2376	Majid Z Hacker.exe
2208	dw20.exe
2516	Majid Z Hacker.exe
2560	Majid Z Hacker.exe
2608	dw20.exe
2728	dw20.exe
1552	Majid Z Hacker.exe
2464	dw20.exe
2936	dw20.exe
2372	dw20.exe
2664	Majid Z Hacker.exe
1720	dw20.exe
1796	Majid Z Hacker.exe
1104	Majid Z Hacker.exe
804	Majid Z Hacker.exe
2248	dw20.exe
3256	Majid Z Hacker.exe
3488	Majid Z Hacker.exe
3628	Majid Z Hacker.exe
3764	Majid Z Hacker.exe
3984	Majid Z Hacker.exe
3136	Majid Z Hacker.exe
1796	Majid Z Hacker.exe
3484	Majid Z Hacker.exe
3848	Majid Z Hacker.exe
4032	Majid Z Hacker.exe
3168	Majid Z Hacker.exe
3428	Majid Z Hacker.exe
3388	Majid Z Hacker.exe
3116	Majid Z Hacker.exe
3808	Majid Z Hacker.exe
2352	Majid Z Hacker.exe
3616	Majid Z Hacker.exe
3700	Majid Z Hacker.exe
4064	Majid Z Hacker.exe
2128	Majid Z Hacker.exe
2352	Majid Z Hacker.exe
4064	Majid Z Hacker.exe
2416	Majid Z Hacker.exe
2140	Majid Z Hacker.exe
1544	Majid Z Hacker.exe
4184	Majid Z Hacker.exe
4352	Majid Z Hacker.exe
4520	Majid Z Hacker.exe
4688	Majid Z Hacker.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
360	firewall.exe
360	firewall.exe
1828	firewall.exe
1828	firewall.exe
360	firewall.exe
1828	firewall.exe
360	firewall.exe
1828	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2916	firewall.exe
2916	firewall.exe
1036	firewall.exe
2916	firewall.exe
1036	firewall.exe
1036	firewall.exe
2916	firewall.exe
1036	firewall.exe
1968	firewall.exe
1968	firewall.exe
1968	firewall.exe
2604	firewall.exe
1968	firewall.exe
2604	firewall.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	firewall.exe
Token: SeDebugPrivilege	2604	firewall.exe
Token: SeDebugPrivilege	1828	firewall.exe
Token: SeDebugPrivilege	784	firewall.exe
Token: SeDebugPrivilege	2628	firewall.exe
Token: SeDebugPrivilege	360	firewall.exe
Token: SeDebugPrivilege	2596	firewall.exe
Token: SeDebugPrivilege	304	firewall.exe
Token: SeDebugPrivilege	1036	firewall.exe
Token: SeDebugPrivilege	1968	firewall.exe
Token: SeDebugPrivilege	1716	firewall.exe
Token: SeDebugPrivilege	2444	firewall.exe
Token: SeDebugPrivilege	2404	firewall.exe
Token: SeDebugPrivilege	2884	firewall.exe
Token: SeDebugPrivilege	2672	firewall.exe
Token: SeDebugPrivilege	2188	firewall.exe
Token: SeDebugPrivilege	1308	firewall.exe
Token: SeDebugPrivilege	1668	firewall.exe
Token: SeDebugPrivilege	592	firewall.exe
Token: SeDebugPrivilege	1552	firewall.exe
Token: SeDebugPrivilege	3296	firewall.exe
Token: SeDebugPrivilege	3496	firewall.exe
Token: SeDebugPrivilege	3636	firewall.exe
Token: SeDebugPrivilege	3772	firewall.exe
Token: SeDebugPrivilege	3992	firewall.exe
Token: SeDebugPrivilege	3140	firewall.exe
Token: SeDebugPrivilege	1776	firewall.exe
Token: SeDebugPrivilege	3256	firewall.exe
Token: SeDebugPrivilege	3868	firewall.exe
Token: SeDebugPrivilege	4040	firewall.exe
Token: SeDebugPrivilege	3132	firewall.exe
Token: SeDebugPrivilege	3404	firewall.exe
Token: SeDebugPrivilege	3104	firewall.exe
Token: SeDebugPrivilege	1952	firewall.exe
Token: SeDebugPrivilege	3356	firewall.exe
Token: SeDebugPrivilege	3240	firewall.exe
Token: SeDebugPrivilege	3560	firewall.exe
Token: SeDebugPrivilege	3704	firewall.exe
Token: SeDebugPrivilege	3972	firewall.exe
Token: SeDebugPrivilege	3844	firewall.exe
Token: SeDebugPrivilege	2016	firewall.exe
Token: SeDebugPrivilege	3700	firewall.exe
Token: SeDebugPrivilege	3920	firewall.exe
Token: SeDebugPrivilege	3740	firewall.exe
Token: SeDebugPrivilege	3544	firewall.exe
Token: SeDebugPrivilege	4192	firewall.exe
Token: SeDebugPrivilege	4360	firewall.exe
Token: SeDebugPrivilege	4528	firewall.exe
Token: SeDebugPrivilege	4696	firewall.exe
Token: SeDebugPrivilege	4864	firewall.exe
Token: SeDebugPrivilege	5028	firewall.exe
Token: SeDebugPrivilege	4124	firewall.exe
Token: SeDebugPrivilege	4400	firewall.exe
Token: SeDebugPrivilege	4564	firewall.exe
Token: SeDebugPrivilege	4712	firewall.exe
Token: SeDebugPrivilege	4892	firewall.exe
Token: SeDebugPrivilege	4784	firewall.exe
Token: SeDebugPrivilege	4600	firewall.exe
Token: SeDebugPrivilege	4648	firewall.exe
Token: SeDebugPrivilege	4624	firewall.exe
Token: SeDebugPrivilege	4488	firewall.exe
Token: SeDebugPrivilege	4928	firewall.exe
Token: SeDebugPrivilege	5024	firewall.exe
Token: SeDebugPrivilege	4756	firewall.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2836	2764	Majid Z Hacker.exe	28
PID 2764 wrote to memory of 2836	2764	Majid Z Hacker.exe	28
PID 2764 wrote to memory of 2836	2764	Majid Z Hacker.exe	28
PID 2764 wrote to memory of 2836	2764	Majid Z Hacker.exe	28
PID 2764 wrote to memory of 2884	2764	Majid Z Hacker.exe	29
PID 2764 wrote to memory of 2884	2764	Majid Z Hacker.exe	29
PID 2764 wrote to memory of 2884	2764	Majid Z Hacker.exe	29
PID 2764 wrote to memory of 2884	2764	Majid Z Hacker.exe	29
PID 2836 wrote to memory of 2060	2836	Majid Z Hacker.exe	30
PID 2836 wrote to memory of 2060	2836	Majid Z Hacker.exe	30
PID 2836 wrote to memory of 2060	2836	Majid Z Hacker.exe	30
PID 2836 wrote to memory of 2060	2836	Majid Z Hacker.exe	30
PID 2836 wrote to memory of 2916	2836	Majid Z Hacker.exe	31
PID 2836 wrote to memory of 2916	2836	Majid Z Hacker.exe	31
PID 2836 wrote to memory of 2916	2836	Majid Z Hacker.exe	31
PID 2836 wrote to memory of 2916	2836	Majid Z Hacker.exe	31
PID 2060 wrote to memory of 2640	2060	Majid Z Hacker.exe	32
PID 2060 wrote to memory of 2640	2060	Majid Z Hacker.exe	32
PID 2060 wrote to memory of 2640	2060	Majid Z Hacker.exe	32
PID 2060 wrote to memory of 2640	2060	Majid Z Hacker.exe	32
PID 2060 wrote to memory of 2672	2060	Majid Z Hacker.exe	33
PID 2060 wrote to memory of 2672	2060	Majid Z Hacker.exe	33
PID 2060 wrote to memory of 2672	2060	Majid Z Hacker.exe	33
PID 2060 wrote to memory of 2672	2060	Majid Z Hacker.exe	33
PID 2640 wrote to memory of 2568	2640	Majid Z Hacker.exe	34
PID 2640 wrote to memory of 2568	2640	Majid Z Hacker.exe	34
PID 2640 wrote to memory of 2568	2640	Majid Z Hacker.exe	34
PID 2640 wrote to memory of 2568	2640	Majid Z Hacker.exe	34
PID 2640 wrote to memory of 2444	2640	Majid Z Hacker.exe	35
PID 2640 wrote to memory of 2444	2640	Majid Z Hacker.exe	35
PID 2640 wrote to memory of 2444	2640	Majid Z Hacker.exe	35
PID 2640 wrote to memory of 2444	2640	Majid Z Hacker.exe	35
PID 2568 wrote to memory of 2624	2568	Majid Z Hacker.exe	36
PID 2568 wrote to memory of 2624	2568	Majid Z Hacker.exe	36
PID 2568 wrote to memory of 2624	2568	Majid Z Hacker.exe	36
PID 2568 wrote to memory of 2624	2568	Majid Z Hacker.exe	36
PID 2568 wrote to memory of 2604	2568	Majid Z Hacker.exe	37
PID 2568 wrote to memory of 2604	2568	Majid Z Hacker.exe	37
PID 2568 wrote to memory of 2604	2568	Majid Z Hacker.exe	37
PID 2568 wrote to memory of 2604	2568	Majid Z Hacker.exe	37
PID 2884 wrote to memory of 2856	2884	firewall.exe	39
PID 2884 wrote to memory of 2856	2884	firewall.exe	39
PID 2884 wrote to memory of 2856	2884	firewall.exe	39
PID 2884 wrote to memory of 2856	2884	firewall.exe	39
PID 2444 wrote to memory of 2032	2444	firewall.exe	38
PID 2444 wrote to memory of 2032	2444	firewall.exe	38
PID 2444 wrote to memory of 2032	2444	firewall.exe	38
PID 2444 wrote to memory of 2032	2444	firewall.exe	38
PID 2916 wrote to memory of 2140	2916	firewall.exe	40
PID 2916 wrote to memory of 2140	2916	firewall.exe	40
PID 2916 wrote to memory of 2140	2916	firewall.exe	40
PID 2916 wrote to memory of 2140	2916	firewall.exe	40
PID 2604 wrote to memory of 2016	2604	firewall.exe	41
PID 2604 wrote to memory of 2016	2604	firewall.exe	41
PID 2604 wrote to memory of 2016	2604	firewall.exe	41
PID 2604 wrote to memory of 2016	2604	firewall.exe	41
PID 2624 wrote to memory of 2236	2624	Majid Z Hacker.exe	43
PID 2624 wrote to memory of 2236	2624	Majid Z Hacker.exe	43
PID 2624 wrote to memory of 2236	2624	Majid Z Hacker.exe	43
PID 2624 wrote to memory of 2236	2624	Majid Z Hacker.exe	43
PID 2624 wrote to memory of 1036	2624	Majid Z Hacker.exe	44
PID 2624 wrote to memory of 1036	2624	Majid Z Hacker.exe	44
PID 2624 wrote to memory of 1036	2624	Majid Z Hacker.exe	44
PID 2624 wrote to memory of 1036	2624	Majid Z Hacker.exe	44

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
  "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
    "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
      "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        7⤵
        Loads dropped DLL
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        8⤵
        Loads dropped DLL
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        9⤵
        Loads dropped DLL
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        10⤵
        Loads dropped DLL
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        11⤵
        Loads dropped DLL
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        12⤵
        Loads dropped DLL
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        13⤵
        Loads dropped DLL
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        14⤵
        Loads dropped DLL
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        15⤵
        Loads dropped DLL
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        16⤵
        Loads dropped DLL
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        17⤵
        Loads dropped DLL
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        18⤵
        Loads dropped DLL
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        19⤵
        Loads dropped DLL
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        20⤵
        Loads dropped DLL
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        21⤵
        Loads dropped DLL
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        22⤵
        Loads dropped DLL
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        23⤵
        Loads dropped DLL
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        24⤵
        Loads dropped DLL
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        25⤵
        Loads dropped DLL
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        26⤵
        Loads dropped DLL
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        27⤵
        Loads dropped DLL
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        28⤵
        Loads dropped DLL
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        29⤵
        Loads dropped DLL
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        30⤵
        Loads dropped DLL
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        31⤵
        Loads dropped DLL
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        32⤵
        Loads dropped DLL
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        33⤵
        Loads dropped DLL
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        34⤵
        Loads dropped DLL
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        35⤵
        Loads dropped DLL
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        36⤵
        Loads dropped DLL
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        37⤵
        Loads dropped DLL
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        38⤵
        Loads dropped DLL
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        39⤵
        Loads dropped DLL
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        40⤵
        Loads dropped DLL
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        41⤵
        Loads dropped DLL
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        42⤵
        Loads dropped DLL
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        43⤵
        Loads dropped DLL
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        44⤵
        Loads dropped DLL
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        45⤵
        Loads dropped DLL
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        46⤵
        Loads dropped DLL
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        47⤵
        Loads dropped DLL
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        48⤵
        Loads dropped DLL
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        49⤵
        Loads dropped DLL
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        50⤵
        Loads dropped DLL
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        51⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        52⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        53⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        54⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        55⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        56⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        57⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        58⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        59⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        60⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        61⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        62⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        63⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        64⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        65⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        66⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        67⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        68⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        69⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        70⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        71⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        72⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        73⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        74⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        75⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        76⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        77⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        78⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        79⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        80⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        81⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        82⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        83⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        84⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        85⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        86⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        87⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        88⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        89⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        90⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        91⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        92⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        93⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        94⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        95⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        96⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        97⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        98⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        99⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        100⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        101⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        102⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        103⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        104⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        105⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        106⤵
        
        PID:7008
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        107⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        108⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        109⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        110⤵
        
        PID:6388
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        111⤵
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        112⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        113⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        114⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        115⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        116⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        117⤵
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        118⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        119⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        120⤵
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        121⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        122⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        123⤵
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        124⤵
        
        PID:8020
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        125⤵
        
        PID:6928
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        126⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        127⤵
        
        PID:7308
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        128⤵
        
        PID:7824
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        129⤵
        
        PID:8100
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        130⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        131⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        132⤵
        
        PID:7988
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        133⤵
        
        PID:7204
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        134⤵
        
        PID:7744
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        135⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        136⤵
        
        PID:7212
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        137⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        138⤵
        
        PID:7184
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        139⤵
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        140⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        141⤵
        
        PID:8280
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        142⤵
        
        PID:8456
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        143⤵
        
        PID:8632
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        144⤵
        
        PID:8812
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        145⤵
        
        PID:8992
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        146⤵
        
        PID:9172
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        147⤵
        
        PID:7184
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        148⤵
        
        PID:8544
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        149⤵
        
        PID:8744
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        150⤵
        
        PID:8812
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        151⤵
        
        PID:8200
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        152⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        153⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        154⤵
        
        PID:8664
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        155⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        156⤵
        
        PID:8756
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        157⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        158⤵
        
        PID:8348
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        159⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        160⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        161⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        162⤵
        
        PID:8484
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        163⤵
        
        PID:8348
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        164⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        165⤵
        
        PID:7820
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        166⤵
        
        PID:8540
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        167⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        168⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        169⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        170⤵
        
        PID:9164
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        171⤵
        
        PID:8460
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        172⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        173⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        174⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        175⤵
        
        PID:8760
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        176⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        177⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        178⤵
        
        PID:9300
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        179⤵
        
        PID:9476
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        180⤵
        
        PID:9660
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        181⤵
        
        PID:9828
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        182⤵
        
        PID:10016
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        183⤵
        
        PID:10196
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        184⤵
        
        PID:8840
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        185⤵
        
        PID:8540
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        186⤵
        
        PID:9796
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        187⤵
        
        PID:10080
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        188⤵
        
        PID:10192
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        189⤵
        
        PID:9412
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        190⤵
        
        PID:8840
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        191⤵
        
        PID:9292
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        192⤵
        
        PID:9784
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        193⤵
        
        PID:9332
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        194⤵
        
        PID:9556
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        195⤵
        
        PID:9660
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        196⤵
        
        PID:9684
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        197⤵
        
        PID:9332
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        198⤵
        
        PID:9852
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        199⤵
        
        PID:10084
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        200⤵
        
        PID:9596
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        201⤵
        
        PID:10220
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        202⤵
        
        PID:10416
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        203⤵
        
        PID:10608
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        204⤵
        
        PID:10800
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        205⤵
        
        PID:11008
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        206⤵
        
        PID:11204
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        207⤵
        
        PID:10384
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        208⤵
        
        PID:10448
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        209⤵
        
        PID:10920
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        210⤵
        
        PID:11036
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        211⤵
        
        PID:10928
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        212⤵
        
        PID:11124
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        213⤵
        
        PID:10600
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        214⤵
        
        PID:11036
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        215⤵
        
        PID:10364
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        216⤵
        
        PID:11204
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        217⤵
        
        PID:10736
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        218⤵
        
        PID:10416
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        219⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        220⤵
        
        PID:11164
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        221⤵
        
        PID:11340
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        222⤵
        
        PID:11512
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        223⤵
        
        PID:11704
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        224⤵
        
        PID:11912
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        225⤵
        
        PID:12080
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        226⤵
        
        PID:12264
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        227⤵
        
        PID:11428
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        228⤵
        
        PID:11648
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        229⤵
        
        PID:11708
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        230⤵
        
        PID:11644
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        231⤵
        
        PID:11368
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        232⤵
        
        PID:11772
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        233⤵
        
        PID:11720
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        234⤵
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        235⤵
        
        PID:11428
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        236⤵
        
        PID:11824
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        237⤵
        
        PID:11928
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        238⤵
        
        PID:11720
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        239⤵
        
        PID:11328
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        240⤵
        
        PID:12240
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        241⤵
        
        PID:11616
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        242⤵
        
        PID:11412
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        243⤵
        
        PID:12364
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        244⤵
        
        PID:12548
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        245⤵
        
        PID:12736
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        246⤵
        
        PID:12928
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        247⤵
        
        PID:13108
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        248⤵
        
        PID:13296
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        249⤵
        
        PID:12436
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        250⤵
        
        PID:12564
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        251⤵
        
        PID:12876
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        252⤵
        
        PID:12672
        
        C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
        253⤵
        
        PID:9088
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        253⤵
        
        PID:11824
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        252⤵
        
        PID:13184
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        253⤵
        
        PID:12300
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        251⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        252⤵
        Modifies Windows Firewall
        
        PID:12292
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        250⤵
        
        PID:12704
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        251⤵
        
        PID:12524
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        249⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        250⤵
        
        PID:12836
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        248⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        249⤵
        
        PID:12608
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        247⤵
        
        PID:13116
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        248⤵
        
        PID:12356
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        246⤵
        
        PID:12936
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        247⤵
        
        PID:13236
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        245⤵
        
        PID:12748
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        246⤵
        Modifies Windows Firewall
        
        PID:13048
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        244⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        245⤵
        
        PID:12864
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        243⤵
        
        PID:12372
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        244⤵
        
        PID:12668
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        242⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        243⤵
        
        PID:12468
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        241⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        242⤵
        Modifies Windows Firewall
        
        PID:12304
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        240⤵
        
        PID:11808
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        241⤵
        
        PID:11096
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        239⤵
        
        PID:11688
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        240⤵
        Modifies Windows Firewall
        
        PID:11532
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        238⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        239⤵
        
        PID:12264
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        237⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        238⤵
        Modifies Windows Firewall
        
        PID:11268
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        236⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        237⤵
        
        PID:11292
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        235⤵
        
        PID:11368
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        236⤵
        
        PID:11412
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        234⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        235⤵
        
        PID:11604
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        233⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        234⤵
        Modifies Windows Firewall
        
        PID:11460
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        232⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        233⤵
        
        PID:7336
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        231⤵
        
        PID:940
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        232⤵
        
        PID:11880
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        230⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        231⤵
        
        PID:12060
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        229⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        230⤵
        Modifies Windows Firewall
        
        PID:9976
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        228⤵
        
        PID:11736
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        229⤵
        
        PID:11836
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        227⤵
        
        PID:11436
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        228⤵
        
        PID:11732
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        226⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        227⤵
        Modifies Windows Firewall
        
        PID:11620
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        225⤵
        
        PID:12088
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        226⤵
        
        PID:10480
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        224⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        225⤵
        
        PID:12196
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        223⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        224⤵
        
        PID:12016
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        222⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        223⤵
        
        PID:11820
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        221⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        222⤵
        Modifies Windows Firewall
        
        PID:11636
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        220⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        221⤵
        
        PID:11452
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        219⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        220⤵
        
        PID:11272
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        218⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        219⤵
        
        PID:11208
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        217⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        218⤵
        
        PID:10712
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        216⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        217⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        215⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        216⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        214⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        215⤵
        Modifies Windows Firewall
        
        PID:10572
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        213⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        214⤵
        
        PID:10500
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        212⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        213⤵
        Modifies Windows Firewall
        
        PID:11244
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        211⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        212⤵
        
        PID:10800
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        210⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        211⤵
        Modifies Windows Firewall
        
        PID:10324
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        209⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        210⤵
        
        PID:11192
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        208⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        209⤵
        
        PID:11084
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        207⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        208⤵
        
        PID:10864
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        206⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        207⤵
        Modifies Windows Firewall
        
        PID:10392
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        205⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        206⤵
        Modifies Windows Firewall
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        204⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        205⤵
        
        PID:11116
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        203⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        204⤵
        
        PID:10924
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        202⤵
        Adds Run key to start application
        
        PID:10424
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        203⤵
        Modifies Windows Firewall
        
        PID:10728
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        201⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        202⤵
        
        PID:10544
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        200⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        201⤵
        
        PID:10352
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        199⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        200⤵
        
        PID:9332
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        198⤵
        Drops autorun.inf file
        
        PID:10036
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        199⤵
        
        PID:9976
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        197⤵
        Adds Run key to start application
        
        PID:9368
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        198⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        196⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        197⤵
        Modifies Windows Firewall
        
        PID:9940
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        195⤵
        Adds Run key to start application
        
        PID:9564
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        196⤵
        Modifies Windows Firewall
        
        PID:9828
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        194⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        195⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        193⤵
        Drops autorun.inf file
        
        PID:9752
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        194⤵
        
        PID:8840
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        192⤵
        Adds Run key to start application
        
        PID:2216
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        193⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        191⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        192⤵
        Modifies Windows Firewall
        
        PID:9524
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        190⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        191⤵
        Modifies Windows Firewall
        
        PID:9828
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        189⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        190⤵
        Modifies Windows Firewall
        
        PID:9684
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        188⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        189⤵
        
        PID:9548
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        187⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        188⤵
        
        PID:8920
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        186⤵
        Adds Run key to start application
        
        PID:9780
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        187⤵
        
        PID:10112
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        185⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        186⤵
        Modifies Windows Firewall
        
        PID:9896
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        184⤵
        Adds Run key to start application
        
        PID:8912
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        185⤵
        
        PID:9656
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        183⤵
        Adds Run key to start application
        
        PID:10204
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        184⤵
        
        PID:9448
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        182⤵
        Adds Run key to start application
        
        PID:10024
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        183⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        181⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        182⤵
        
        PID:10132
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        180⤵
        Adds Run key to start application
        
        PID:9668
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        181⤵
        
        PID:9952
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        179⤵
        Drops autorun.inf file
        
        PID:9484
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        180⤵
        Modifies Windows Firewall
        
        PID:9768
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        178⤵
        Drops autorun.inf file
        
        PID:9308
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        179⤵
        
        PID:9600
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        177⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        178⤵
        
        PID:9416
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        176⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        177⤵
        
        PID:9244
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        175⤵
        Drops autorun.inf file
        
        PID:1344
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        176⤵
        Modifies Windows Firewall
        
        PID:8348
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        174⤵
        Adds Run key to start application
        
        PID:8756
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        175⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        173⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        174⤵
        
        PID:8272
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        172⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        173⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        171⤵
        Drops autorun.inf file
        
        PID:2704
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        172⤵
        Modifies Windows Firewall
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        170⤵
        Adds Run key to start application
        
        PID:8948
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        171⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        169⤵
        Adds Run key to start application
        
        PID:8360
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        170⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        168⤵
        Adds Run key to start application
        
        PID:2680
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        169⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        167⤵
        Adds Run key to start application
        
        PID:9116
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        168⤵
        Modifies Windows Firewall
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        166⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:8704
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        167⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        165⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        166⤵
        
        PID:8404
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        164⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        165⤵
        Modifies Windows Firewall
        
        PID:9036
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        163⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        164⤵
        Modifies Windows Firewall
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        162⤵
        Drops autorun.inf file
        
        PID:848
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        163⤵
        Modifies Windows Firewall
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        161⤵
        Drops autorun.inf file
        
        PID:1136
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        162⤵
        
        PID:9056
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        160⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        161⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        159⤵
        
        PID:944
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        160⤵
        Modifies Windows Firewall
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        158⤵
        Adds Run key to start application
        
        PID:3564
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        159⤵
        
        PID:9156
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        157⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:336
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        158⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        156⤵
        Adds Run key to start application
        
        PID:8408
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        157⤵
        Modifies Windows Firewall
        
        PID:8680
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        155⤵
        Drops autorun.inf file
        
        PID:2784
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        156⤵
        Modifies Windows Firewall
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        154⤵
        Adds Run key to start application
        
        PID:8456
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        155⤵
        Modifies Windows Firewall
        
        PID:9056
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        153⤵
        Adds Run key to start application
        
        PID:8884
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        154⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        152⤵
        
        PID:844
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        153⤵
        
        PID:8240
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        151⤵
        Drops autorun.inf file
        
        PID:7664
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        152⤵
        
        PID:8480
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        150⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:8848
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        151⤵
        
        PID:8364
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        149⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        150⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        148⤵
        Adds Run key to start application
        
        PID:8552
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        149⤵
        
        PID:8436
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        147⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        148⤵
        
        PID:8628
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        146⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        147⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        145⤵
        Drops autorun.inf file
        
        PID:9004
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        146⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        144⤵
        Drops autorun.inf file
        
        PID:8820
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        145⤵
        
        PID:9108
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        143⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        144⤵
        
        PID:8932
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        142⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        143⤵
        
        PID:8748
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        141⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        142⤵
        Modifies Windows Firewall
        
        PID:8576
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        140⤵
        Drops autorun.inf file
        
        PID:7888
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        141⤵
        
        PID:8392
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        139⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        140⤵
        
        PID:8216
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        138⤵
        Adds Run key to start application
        
        PID:8096
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        139⤵
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        137⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        138⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        136⤵
        Adds Run key to start application
        
        PID:7296
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        137⤵
        Modifies Windows Firewall
        
        PID:7984
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        135⤵
        Adds Run key to start application
        
        PID:7372
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        136⤵
        
        PID:7824
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        134⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        135⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        133⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        134⤵
        
        PID:7388
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        132⤵
        Adds Run key to start application
        
        PID:7968
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        133⤵
        Modifies Windows Firewall
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        131⤵
        Adds Run key to start application
        
        PID:6180
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        132⤵
        
        PID:8184
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        130⤵
        Drops autorun.inf file
        
        PID:7288
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        131⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        129⤵
        Adds Run key to start application
        
        PID:8112
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        130⤵
        
        PID:7448
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        128⤵
        Drops autorun.inf file
        
        PID:7680
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        129⤵
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        127⤵
        Drops autorun.inf file
        
        PID:7528
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        128⤵
        
        PID:7856
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        126⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        127⤵
        
        PID:7656
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        125⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:7116
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        126⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        124⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        125⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        123⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:7844
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        124⤵
        Modifies Windows Firewall
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        122⤵
        Adds Run key to start application
        
        PID:7668
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        123⤵
        Modifies Windows Firewall
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        121⤵
        Drops autorun.inf file
        
        PID:7488
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        122⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        120⤵
        Drops autorun.inf file
        
        PID:7312
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        121⤵
        Modifies Windows Firewall
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        119⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        120⤵
        
        PID:7420
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        118⤵
        Adds Run key to start application
        
        PID:6684
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        119⤵
        Modifies Windows Firewall
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        117⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        118⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        116⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        117⤵
        Modifies Windows Firewall
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        115⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        116⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        114⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        115⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        113⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        114⤵
        Modifies Windows Firewall
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        112⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        113⤵
        Modifies Windows Firewall
        
        PID:6320
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        111⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        112⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        110⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        111⤵
        Modifies Windows Firewall
        
        PID:6324
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        109⤵
        Drops autorun.inf file
        
        PID:6688
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        110⤵
        Modifies Windows Firewall
        
        PID:7092
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        108⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:5592
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        109⤵
        Modifies Windows Firewall
        
        PID:6384
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        107⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        108⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        106⤵
        Adds Run key to start application
        
        PID:7016
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        107⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        105⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        106⤵
        Modifies Windows Firewall
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        104⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        105⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        103⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        104⤵
        Modifies Windows Firewall
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        102⤵
        Adds Run key to start application
        
        PID:6264
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        103⤵
        Modifies Windows Firewall
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        101⤵
        Drops autorun.inf file
        
        PID:5644
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        102⤵
        
        PID:6380
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        100⤵
        Adds Run key to start application
        
        PID:5312
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        101⤵
        Modifies Windows Firewall
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        99⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        100⤵
        Modifies Windows Firewall
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        98⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        99⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        97⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        98⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        96⤵
        Adds Run key to start application
        
        PID:5960
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        97⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        95⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:5264
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        96⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        94⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        95⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        93⤵
        Drops autorun.inf file
        
        PID:5568
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        94⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        92⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        93⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        91⤵
        Drops autorun.inf file
        
        PID:1988
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        92⤵
        Modifies Windows Firewall
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        90⤵
        Adds Run key to start application
        
        PID:5436
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        91⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        89⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:5716
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        90⤵
        Modifies Windows Firewall
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        88⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        89⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        87⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        88⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        86⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        87⤵
        Modifies Windows Firewall
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        85⤵
        Adds Run key to start application
        
        PID:5228
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        86⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        84⤵
        Drops autorun.inf file
        
        PID:5528
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        85⤵
        Modifies Windows Firewall
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        83⤵
        Drops autorun.inf file
        
        PID:1044
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        84⤵
        Modifies Windows Firewall
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        82⤵
        Drops autorun.inf file
        
        PID:6136
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        83⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        81⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        82⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        80⤵
        Drops autorun.inf file
        
        PID:5796
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        81⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        79⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        80⤵
        Modifies Windows Firewall
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        78⤵
        Adds Run key to start application
        
        PID:5456
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        79⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        77⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        78⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        76⤵
        Adds Run key to start application
        
        PID:4180
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        77⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        75⤵
        Adds Run key to start application
        
        PID:4768
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        76⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        74⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        75⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        73⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        74⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        72⤵
        Adds Run key to start application
        
        PID:3144
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        73⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        71⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:4788
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        72⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        70⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        71⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        69⤵
        Drops autorun.inf file
        
        PID:4560
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        70⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        68⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        69⤵
        Modifies Windows Firewall
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        67⤵
        Adds Run key to start application
        Drops autorun.inf file
        
        PID:4484
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        68⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        66⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        67⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        66⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        65⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        64⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        63⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        62⤵
        Modifies Windows Firewall
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        61⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        60⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        59⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        58⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        57⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        56⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        54⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        55⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        53⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        54⤵
        Modifies Windows Firewall
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        53⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        52⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        51⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        50⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        49⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        48⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        47⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        46⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        45⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        44⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        43⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        42⤵
        Modifies Windows Firewall
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        41⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        40⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        38⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        39⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        38⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        37⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        36⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        35⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        34⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        33⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        32⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        31⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        30⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        28⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        29⤵
        Modifies Windows Firewall
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        28⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        27⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        26⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        24⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        25⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        23⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        24⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        22⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3296
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        23⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        21⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        22⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        20⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        21⤵
        Modifies Windows Firewall
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 592
        20⤵
        Loads dropped DLL
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        18⤵
        Executes dropped EXE
        Drops autorun.inf file
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        19⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 448
        18⤵
        Loads dropped DLL
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        17⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 484
        16⤵
        Loads dropped DLL
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:360
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        15⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 448
        14⤵
        Loads dropped DLL
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        13⤵
        Modifies Windows Firewall
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 556
        12⤵
        Loads dropped DLL
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        11⤵
        
        PID:1680
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 756
        11⤵
        Loads dropped DLL
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 500
        10⤵
        Loads dropped DLL
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        9⤵
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 632
        9⤵
        Loads dropped DLL
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 444
        8⤵
        Loads dropped DLL
        
        PID:320
      - C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall set opmode disable
        7⤵
        
        PID:2016
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 780
        7⤵
        Loads dropped DLL
        
        PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\firewall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 456
        6⤵
        Loads dropped DLL
        
        PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\firewall.exe
      "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2672
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 628
        5⤵
        Loads dropped DLL
        
        PID:772
- - C:\Users\Admin\AppData\Local\Temp\firewall.exe
    "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\netsh.exe
      "netsh.exe" firewall set opmode disable
      4⤵
      Modifies Windows Firewall
      PID:2140
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 772
      4⤵
      Loads dropped DLL
      PID:2728
- C:\Users\Admin\AppData\Local\Temp\firewall.exe
  "C:\Users\Admin\AppData\Local\Temp\firewall.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 572
    3⤵
    - Loads dropped DLL
    PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-549707372-2628346891331245724-13082765862091225402-53906973613939001871834518123"
1⤵
PID:804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11536313708799438442017379529-16554675883456718211314171361-760137374-1717077439"
1⤵
PID:3168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1043987661-710423404-20427056031496499535-6310878241603393228-1916148151-1997293299"
1⤵
PID:3324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1860107569-662585351738378917-652335106-212652199717525786931647102342-1462846933"
1⤵
PID:4752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-411666662-1751361135-1183510562-1853172180-358214875-18336381451220587510964699134"
1⤵
PID:4264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-643035334199390561-872879538493539717-16446444631396589144913379261-364730474"
1⤵
PID:856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "141040382156495517327980311-12600766531466742159033224581248507746-509631417"
1⤵
PID:5220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2092504791-5943344172086143565-109074371413233065161029582805-1821831691919787181"
1⤵
PID:5216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "168360081320458414471474604400-1238722726-10619150542827454881327787321937569772"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10112734071267476395586725283-1486777935-11812847431466977383-1041406710873541739"
1⤵
PID:5864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "281282672-1317345232768571911-1867511804477898198-2358033068374475751920970725"
1⤵
PID:5132

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:5900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10890699662013739316248433846-1670823814493240711599727591819399407-1235359657"
1⤵
PID:7480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "129133137320694085-46708592-858369067-7279261983444735251157766081-1229179652"
1⤵
PID:7780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1512304783482048576-198146648619018160111553491289-1933019926347531229-1006535483"
1⤵
PID:7884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1310467830515713973286850155-1219409561-15093689271538474957-18931923282142604956"
1⤵
PID:7524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-201473970406825928-1353977453-15427017978709063-10797593661542026373-1148200600"
1⤵
PID:8424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "200866199-19499132697220967711349264807-1679411000675472599-332767798-426067665"
1⤵
PID:8628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "609967482134560760261598076734929982010285017001484535455-1546354677-322172623"
1⤵
PID:7568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "644946535-1720618752354072920-1120898533310460743188612458296182654981625491"
1⤵
PID:8680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2095534442052688759-970402272-2113804549-2226292011749568171-973092862-1589087206"
1⤵
PID:8272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5443683461169253937-6400846387700751262100594329-533617356578136100-1028540785"
1⤵
PID:4668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-221629376-115776995508091078-16459951611305980996-873738099-747197299-27027829"
1⤵
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BlackData.dat

Filesize
3B

MD5
93cba07454f06a4a960172bbd6e2a435

SHA1
5397e0583f14f6c88de06b1ef28f460a1fb5b0ae

SHA256
85a39ab345d672ff8ca9b9c6876f3adcacf45ee7c1e2dbd2408fd338bd55e07e

SHA512
6b99acba1e4e469610f9227829648fa52e7ad463f22568f0a04188f2d465a585ba077f12d1a527674c338470e79665fd16e54f25553482cddd85845232d186f9

Download Submit
C:\Users\Admin\Documents\My Music\autorun.inf

Filesize
287B

MD5
15755ea8c0f620cfdaf9ada425e6b4c2

SHA1
868d9aca932d7a1a0d26ba19d613e34f3325a4eb

SHA256
3ae21c30b4273c6dfcc5841aaa18d776e53dd9dd9458051cb5457e25af4250fe

SHA512
6a44ff83fcf9d22fe1d06d3333be2bcfd45df0a9bc449cdf857d255c69d88497efc8c00c6a4ba383da6ebd7d422e87fea2e78ad62ec678fa3dc1aac29e34fae9

Download Submit
C:\Users\Admin\Pictures\autorun.inf

Filesize
299B

MD5
d7111cd7ccdee778d8261d4e03614a85

SHA1
f88c30e0403764b7384e3ef64cb54a1c2f5121f4

SHA256
6ad6f66d55b492f4f982a1bbe9ba99b20f3c77b93285cca02ca7843642336aa3

SHA512
15578fff5e7ee767edeaa4da93a66b2a634d8caa7a0a06223481fa6ab1c97c64f3871a36550406bc29f2e1262bb01e282d022cd55e9e7aa8ce9745fa3037c5b1

Download Submit
C:\Users\Admin\Videos\autorun.inf

Filesize
291B

MD5
5cda9292cfaacb554b5ddda7a5d8daa0

SHA1
05d78ca665e4186a6245c29c9b392e090a9d0937

SHA256
8cbbcbdb2618fb7eaf7e09ceceee1c9d0cbdf609e4f0fc9a6a2de71912ceb174

SHA512
825381e97b7a0458898f27a95584affa011d1038a380a3e19c81cb04a80bbb9924536fa6c53dbde073d371de2918ede9a0e2427b9227888ce208b6ac50accdba

Download Submit
\Users\Admin\AppData\Local\Temp\firewall.exe

Filesize
40KB

MD5
085242fc50844dc41d1966e620d3e121

SHA1
5e9a343256313938468d5d4fb92e39c5ef6f8c91

SHA256
180b8e0169f2c89d3b4f34d3ee5b26f5578211068be74cf9c2fd194d8cda9b3d

SHA512
3341c74802aa98ce2bd7b15d2921d3082110c62ee6d82df784cb610c1594d905c82c6ae79cf43d76f98db7a8a4951686898ba1dddeb9615fca6480ac6bb7887b

Download Submit
memory/2884-7-0x0000000074631000-0x0000000074632000-memory.dmp

Filesize
4KB

Download
memory/2884-12-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2884-11-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2884-1136-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download