f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

Analysis

max time kernel
98s
max time network
151s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Majid Z Hacker.exe
Size

462KB
MD5

a8a8d6f3b48466242959545235d1c9b6
SHA1

0c2d670dc3b3b07a2498756e1d46fd1fee53a621
SHA256

09d709640f6884d6b7e7501175cfdcc3724df07785c081c0e14b20cbcdf382ec
SHA512

09f08dd6026b2e24a05e20505723055deceffaba3d351dd49cdc934d038ef0796a3d8d481fe7734b3ec3ba80f4800994983441204dbc3f12baf4f637534a4796
SSDEEP

12288:6rs81bE0LfUk6XLbwxMY4R/3CDOpeYYhN7zjYC/M:6H5rh6XPbYuCDOpmPzjZM

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
3452	netsh.exe
9056	netsh.exe
9524	netsh.exe
7600	netsh.exe
7956	netsh.exe
696	netsh.exe
8348	netsh.exe
9896	netsh.exe
9940	netsh.exe
10572	netsh.exe
2140	netsh.exe
11620	netsh.exe
5132	netsh.exe
9976	netsh.exe
7984	netsh.exe
2312	netsh.exe
9684	netsh.exe
11636	netsh.exe
5864	netsh.exe
7124	netsh.exe
7884	netsh.exe
13048	netsh.exe
3664	netsh.exe
3944	netsh.exe
6324	netsh.exe
10728	netsh.exe
10324	netsh.exe
11268	netsh.exe
5616	netsh.exe
5964	netsh.exe
8680	netsh.exe
9036	netsh.exe
6192	netsh.exe
11532	netsh.exe
12292	netsh.exe
4676	netsh.exe
6756	netsh.exe
8576	netsh.exe
7944	netsh.exe
9828	netsh.exe
3136	netsh.exe
6180	netsh.exe
2516	netsh.exe
5900	netsh.exe
6384	netsh.exe
8136	netsh.exe
4560	netsh.exe
4280	netsh.exe
5408	netsh.exe
9828	netsh.exe
11244	netsh.exe
12304	netsh.exe
5752	netsh.exe
6176	netsh.exe
10392	netsh.exe
6556	netsh.exe
6320	netsh.exe
7236	netsh.exe
7092	netsh.exe
9768	netsh.exe
11460	netsh.exe
804	netsh.exe
5900	netsh.exe
1312	netsh.exe

Drops startup file 2 IoCs

Processes:

firewall.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe

Executes dropped EXE 64 IoCs

Processes:

firewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exe

pid	process
2884	firewall.exe
2916	firewall.exe
2672	firewall.exe
2444	firewall.exe
2604	firewall.exe
1036	firewall.exe
1828	firewall.exe
2404	firewall.exe
784	firewall.exe
1716	firewall.exe
2628	firewall.exe
1968	firewall.exe
360	firewall.exe
2188	firewall.exe
2596	firewall.exe
1308	firewall.exe
304	firewall.exe
1668	firewall.exe
592	firewall.exe
1552	firewall.exe
3296	firewall.exe
3496	firewall.exe
3636	firewall.exe
3772	firewall.exe
3992	firewall.exe
3140	firewall.exe
1776	firewall.exe
3256	firewall.exe
3868	firewall.exe
4040	firewall.exe
3132	firewall.exe
3404	firewall.exe
3104	firewall.exe
1952	firewall.exe
3356	firewall.exe
3240	firewall.exe
3560	firewall.exe
3704	firewall.exe
3972	firewall.exe
3844	firewall.exe
2016	firewall.exe
3700	firewall.exe
3920	firewall.exe
3740	firewall.exe
3544	firewall.exe
4192	firewall.exe
4360	firewall.exe
4528	firewall.exe
4696	firewall.exe
4864	firewall.exe
5028	firewall.exe
4124	firewall.exe
4400	firewall.exe
4564	firewall.exe
4712	firewall.exe
4892	firewall.exe
4784	firewall.exe
4600	firewall.exe
4648	firewall.exe
4624	firewall.exe
4488	firewall.exe
4928	firewall.exe
5024	firewall.exe
4756	firewall.exe

Loads dropped DLL 64 IoCs

Processes:

Majid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exedw20.exedw20.exedw20.exedw20.exeMajid Z Hacker.exeMajid Z Hacker.exedw20.exeMajid Z Hacker.exedw20.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exedw20.exeMajid Z Hacker.exeMajid Z Hacker.exedw20.exedw20.exeMajid Z Hacker.exedw20.exedw20.exedw20.exeMajid Z Hacker.exedw20.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exedw20.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exe

pid	process
2764	Majid Z Hacker.exe
2836	Majid Z Hacker.exe
2060	Majid Z Hacker.exe
2640	Majid Z Hacker.exe
2568	Majid Z Hacker.exe
2624	Majid Z Hacker.exe
2236	Majid Z Hacker.exe
2424	Majid Z Hacker.exe
2032	dw20.exe
772	dw20.exe
2856	dw20.exe
320	dw20.exe
2220	Majid Z Hacker.exe
680	Majid Z Hacker.exe
964	dw20.exe
1568	Majid Z Hacker.exe
2800	dw20.exe
2420	Majid Z Hacker.exe
2228	Majid Z Hacker.exe
2376	Majid Z Hacker.exe
2208	dw20.exe
2516	Majid Z Hacker.exe
2560	Majid Z Hacker.exe
2608	dw20.exe
2728	dw20.exe
1552	Majid Z Hacker.exe
2464	dw20.exe
2936	dw20.exe
2372	dw20.exe
2664	Majid Z Hacker.exe
1720	dw20.exe
1796	Majid Z Hacker.exe
1104	Majid Z Hacker.exe
804	Majid Z Hacker.exe
2248	dw20.exe
3256	Majid Z Hacker.exe
3488	Majid Z Hacker.exe
3628	Majid Z Hacker.exe
3764	Majid Z Hacker.exe
3984	Majid Z Hacker.exe
3136	Majid Z Hacker.exe
1796	Majid Z Hacker.exe
3484	Majid Z Hacker.exe
3848	Majid Z Hacker.exe
4032	Majid Z Hacker.exe
3168	Majid Z Hacker.exe
3428	Majid Z Hacker.exe
3388	Majid Z Hacker.exe
3116	Majid Z Hacker.exe
3808	Majid Z Hacker.exe
2352	Majid Z Hacker.exe
3616	Majid Z Hacker.exe
3700	Majid Z Hacker.exe
4064	Majid Z Hacker.exe
2128	Majid Z Hacker.exe
2352	Majid Z Hacker.exe
4064	Majid Z Hacker.exe
2416	Majid Z Hacker.exe
2140	Majid Z Hacker.exe
1544	Majid Z Hacker.exe
4184	Majid Z Hacker.exe
4352	Majid Z Hacker.exe
4520	Majid Z Hacker.exe
4688	Majid Z Hacker.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

description	ioc	process
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

firewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exe

pid	process
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
360	firewall.exe
360	firewall.exe
1828	firewall.exe
1828	firewall.exe
360	firewall.exe
1828	firewall.exe
360	firewall.exe
1828	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2628	firewall.exe
2916	firewall.exe
2916	firewall.exe
1036	firewall.exe
2916	firewall.exe
1036	firewall.exe
1036	firewall.exe
2916	firewall.exe
1036	firewall.exe
1968	firewall.exe
1968	firewall.exe
1968	firewall.exe
2604	firewall.exe
1968	firewall.exe
2604	firewall.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2916	firewall.exe
Token: SeDebugPrivilege	2604	firewall.exe
Token: SeDebugPrivilege	1828	firewall.exe
Token: SeDebugPrivilege	784	firewall.exe
Token: SeDebugPrivilege	2628	firewall.exe
Token: SeDebugPrivilege	360	firewall.exe
Token: SeDebugPrivilege	2596	firewall.exe
Token: SeDebugPrivilege	304	firewall.exe
Token: SeDebugPrivilege	1036	firewall.exe
Token: SeDebugPrivilege	1968	firewall.exe
Token: SeDebugPrivilege	1716	firewall.exe
Token: SeDebugPrivilege	2444	firewall.exe
Token: SeDebugPrivilege	2404	firewall.exe
Token: SeDebugPrivilege	2884	firewall.exe
Token: SeDebugPrivilege	2672	firewall.exe
Token: SeDebugPrivilege	2188	firewall.exe
Token: SeDebugPrivilege	1308	firewall.exe
Token: SeDebugPrivilege	1668	firewall.exe
Token: SeDebugPrivilege	592	firewall.exe
Token: SeDebugPrivilege	1552	firewall.exe
Token: SeDebugPrivilege	3296	firewall.exe
Token: SeDebugPrivilege	3496	firewall.exe
Token: SeDebugPrivilege	3636	firewall.exe
Token: SeDebugPrivilege	3772	firewall.exe
Token: SeDebugPrivilege	3992	firewall.exe
Token: SeDebugPrivilege	3140	firewall.exe
Token: SeDebugPrivilege	1776	firewall.exe
Token: SeDebugPrivilege	3256	firewall.exe
Token: SeDebugPrivilege	3868	firewall.exe
Token: SeDebugPrivilege	4040	firewall.exe
Token: SeDebugPrivilege	3132	firewall.exe
Token: SeDebugPrivilege	3404	firewall.exe
Token: SeDebugPrivilege	3104	firewall.exe
Token: SeDebugPrivilege	1952	firewall.exe
Token: SeDebugPrivilege	3356	firewall.exe
Token: SeDebugPrivilege	3240	firewall.exe
Token: SeDebugPrivilege	3560	firewall.exe
Token: SeDebugPrivilege	3704	firewall.exe
Token: SeDebugPrivilege	3972	firewall.exe
Token: SeDebugPrivilege	3844	firewall.exe
Token: SeDebugPrivilege	2016	firewall.exe
Token: SeDebugPrivilege	3700	firewall.exe
Token: SeDebugPrivilege	3920	firewall.exe
Token: SeDebugPrivilege	3740	firewall.exe
Token: SeDebugPrivilege	3544	firewall.exe
Token: SeDebugPrivilege	4192	firewall.exe
Token: SeDebugPrivilege	4360	firewall.exe
Token: SeDebugPrivilege	4528	firewall.exe
Token: SeDebugPrivilege	4696	firewall.exe
Token: SeDebugPrivilege	4864	firewall.exe
Token: SeDebugPrivilege	5028	firewall.exe
Token: SeDebugPrivilege	4124	firewall.exe
Token: SeDebugPrivilege	4400	firewall.exe
Token: SeDebugPrivilege	4564	firewall.exe
Token: SeDebugPrivilege	4712	firewall.exe
Token: SeDebugPrivilege	4892	firewall.exe
Token: SeDebugPrivilege	4784	firewall.exe
Token: SeDebugPrivilege	4600	firewall.exe
Token: SeDebugPrivilege	4648	firewall.exe
Token: SeDebugPrivilege	4624	firewall.exe
Token: SeDebugPrivilege	4488	firewall.exe
Token: SeDebugPrivilege	4928	firewall.exe
Token: SeDebugPrivilege	5024	firewall.exe
Token: SeDebugPrivilege	4756	firewall.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Majid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exeMajid Z Hacker.exefirewall.exefirewall.exefirewall.exefirewall.exeMajid Z Hacker.exe

description	pid	process	target process
PID 2764 wrote to memory of 2836	2764	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2764 wrote to memory of 2836	2764	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2764 wrote to memory of 2836	2764	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2764 wrote to memory of 2836	2764	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2764 wrote to memory of 2884	2764	Majid Z Hacker.exe	firewall.exe
PID 2764 wrote to memory of 2884	2764	Majid Z Hacker.exe	firewall.exe
PID 2764 wrote to memory of 2884	2764	Majid Z Hacker.exe	firewall.exe
PID 2764 wrote to memory of 2884	2764	Majid Z Hacker.exe	firewall.exe
PID 2836 wrote to memory of 2060	2836	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2836 wrote to memory of 2060	2836	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2836 wrote to memory of 2060	2836	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2836 wrote to memory of 2060	2836	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2836 wrote to memory of 2916	2836	Majid Z Hacker.exe	firewall.exe
PID 2836 wrote to memory of 2916	2836	Majid Z Hacker.exe	firewall.exe
PID 2836 wrote to memory of 2916	2836	Majid Z Hacker.exe	firewall.exe
PID 2836 wrote to memory of 2916	2836	Majid Z Hacker.exe	firewall.exe
PID 2060 wrote to memory of 2640	2060	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2060 wrote to memory of 2640	2060	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2060 wrote to memory of 2640	2060	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2060 wrote to memory of 2640	2060	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2060 wrote to memory of 2672	2060	Majid Z Hacker.exe	firewall.exe
PID 2060 wrote to memory of 2672	2060	Majid Z Hacker.exe	firewall.exe
PID 2060 wrote to memory of 2672	2060	Majid Z Hacker.exe	firewall.exe
PID 2060 wrote to memory of 2672	2060	Majid Z Hacker.exe	firewall.exe
PID 2640 wrote to memory of 2568	2640	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2640 wrote to memory of 2568	2640	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2640 wrote to memory of 2568	2640	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2640 wrote to memory of 2568	2640	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2640 wrote to memory of 2444	2640	Majid Z Hacker.exe	firewall.exe
PID 2640 wrote to memory of 2444	2640	Majid Z Hacker.exe	firewall.exe
PID 2640 wrote to memory of 2444	2640	Majid Z Hacker.exe	firewall.exe
PID 2640 wrote to memory of 2444	2640	Majid Z Hacker.exe	firewall.exe
PID 2568 wrote to memory of 2624	2568	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2568 wrote to memory of 2624	2568	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2568 wrote to memory of 2624	2568	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2568 wrote to memory of 2624	2568	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2568 wrote to memory of 2604	2568	Majid Z Hacker.exe	firewall.exe
PID 2568 wrote to memory of 2604	2568	Majid Z Hacker.exe	firewall.exe
PID 2568 wrote to memory of 2604	2568	Majid Z Hacker.exe	firewall.exe
PID 2568 wrote to memory of 2604	2568	Majid Z Hacker.exe	firewall.exe
PID 2884 wrote to memory of 2856	2884	firewall.exe	dw20.exe
PID 2884 wrote to memory of 2856	2884	firewall.exe	dw20.exe
PID 2884 wrote to memory of 2856	2884	firewall.exe	dw20.exe
PID 2884 wrote to memory of 2856	2884	firewall.exe	dw20.exe
PID 2444 wrote to memory of 2032	2444	firewall.exe	dw20.exe
PID 2444 wrote to memory of 2032	2444	firewall.exe	dw20.exe
PID 2444 wrote to memory of 2032	2444	firewall.exe	dw20.exe
PID 2444 wrote to memory of 2032	2444	firewall.exe	dw20.exe
PID 2916 wrote to memory of 2140	2916	firewall.exe	netsh.exe
PID 2916 wrote to memory of 2140	2916	firewall.exe	netsh.exe
PID 2916 wrote to memory of 2140	2916	firewall.exe	netsh.exe
PID 2916 wrote to memory of 2140	2916	firewall.exe	netsh.exe
PID 2604 wrote to memory of 2016	2604	firewall.exe	netsh.exe
PID 2604 wrote to memory of 2016	2604	firewall.exe	netsh.exe
PID 2604 wrote to memory of 2016	2604	firewall.exe	netsh.exe
PID 2604 wrote to memory of 2016	2604	firewall.exe	netsh.exe
PID 2624 wrote to memory of 2236	2624	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2624 wrote to memory of 2236	2624	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2624 wrote to memory of 2236	2624	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2624 wrote to memory of 2236	2624	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2624 wrote to memory of 1036	2624	Majid Z Hacker.exe	firewall.exe
PID 2624 wrote to memory of 1036	2624	Majid Z Hacker.exe	firewall.exe
PID 2624 wrote to memory of 1036	2624	Majid Z Hacker.exe	firewall.exe
PID 2624 wrote to memory of 1036	2624	Majid Z Hacker.exe	firewall.exe

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
7⤵
- Loads dropped DLL
PID:2236

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
8⤵
- Loads dropped DLL
PID:2424

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
9⤵
- Loads dropped DLL
PID:2220

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
10⤵
- Loads dropped DLL
PID:680

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
11⤵
- Loads dropped DLL
PID:1568

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
12⤵
- Loads dropped DLL
PID:2420

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
13⤵
- Loads dropped DLL
PID:2228

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
14⤵
- Loads dropped DLL
PID:2376

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
15⤵
- Loads dropped DLL
PID:2516

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
16⤵
- Loads dropped DLL
PID:2560

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
17⤵
- Loads dropped DLL
PID:1552

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
18⤵
- Loads dropped DLL
PID:2664

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
19⤵
- Loads dropped DLL
PID:1796

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
20⤵
- Loads dropped DLL
PID:1104

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
21⤵
- Loads dropped DLL
PID:804

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
22⤵
- Loads dropped DLL
PID:3256

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
23⤵
- Loads dropped DLL
PID:3488

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
24⤵
- Loads dropped DLL
PID:3628

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
25⤵
- Loads dropped DLL
PID:3764

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
26⤵
- Loads dropped DLL
PID:3984

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
27⤵
- Loads dropped DLL
PID:3136

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
28⤵
- Loads dropped DLL
PID:1796

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
29⤵
- Loads dropped DLL
PID:3484

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
30⤵
- Loads dropped DLL
PID:3848

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
31⤵
- Loads dropped DLL
PID:4032

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
32⤵
- Loads dropped DLL
PID:3168

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
33⤵
- Loads dropped DLL
PID:3428

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
34⤵
- Loads dropped DLL
PID:3388

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
35⤵
- Loads dropped DLL
PID:3116

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
36⤵
- Loads dropped DLL
PID:3808

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
37⤵
- Loads dropped DLL
PID:2352

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
38⤵
- Loads dropped DLL
PID:3616

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
39⤵
- Loads dropped DLL
PID:3700

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
40⤵
- Loads dropped DLL
PID:4064

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
41⤵
- Loads dropped DLL
PID:2128

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
42⤵
- Loads dropped DLL
PID:2352

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
43⤵
- Loads dropped DLL
PID:4064

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
44⤵
- Loads dropped DLL
PID:2416

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
45⤵
- Loads dropped DLL
PID:2140

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
46⤵
- Loads dropped DLL
PID:1544

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
47⤵
- Loads dropped DLL
PID:4184

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
48⤵
- Loads dropped DLL
PID:4352

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
49⤵
- Loads dropped DLL
PID:4520

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
50⤵
- Loads dropped DLL
PID:4688

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
51⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
52⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
53⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
54⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
55⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
56⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
57⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
58⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
59⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
60⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
61⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
62⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
63⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
64⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
65⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
66⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
67⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
68⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
69⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
70⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
71⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
72⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
73⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
74⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
75⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
76⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
77⤵
PID:5280

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
78⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
79⤵
PID:5620

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
80⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
81⤵
PID:5960

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
82⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
83⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
84⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
85⤵
PID:5724

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
86⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
87⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
88⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
89⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
90⤵
PID:5756

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
91⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
92⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
93⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
94⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
95⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
96⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
97⤵
PID:5964

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
98⤵
PID:6036

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
99⤵
PID:5644

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
100⤵
PID:5276

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
101⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
102⤵
PID:6244

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
103⤵
PID:6440

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
104⤵
PID:6632

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
105⤵
PID:6820

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
106⤵
PID:7008

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
107⤵
PID:6148

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
108⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
109⤵
PID:6680

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
110⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
111⤵
PID:7136

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
112⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
113⤵
PID:6552

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
114⤵
PID:6908

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
115⤵
PID:6180

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
116⤵
PID:7108

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
117⤵
PID:7088

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
118⤵
PID:6552

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
119⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
120⤵
PID:7304

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
121⤵
PID:7480

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
122⤵
PID:7660

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
123⤵
PID:7836

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
124⤵
PID:8020

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
125⤵
PID:6928

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
126⤵
PID:6180

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
127⤵
PID:7308

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
128⤵
PID:7824

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
129⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
130⤵
PID:7300

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
131⤵
PID:7476

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
132⤵
PID:7988

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
133⤵
PID:7204

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
134⤵
PID:7744

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
135⤵
PID:7660

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
136⤵
PID:7212

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
137⤵
PID:7300

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
138⤵
PID:7184

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
139⤵
PID:7524

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
140⤵
PID:7452

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
141⤵
PID:8280

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
142⤵
PID:8456

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
143⤵
PID:8632

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
144⤵
PID:8812

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
145⤵
PID:8992

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
146⤵
PID:9172

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
147⤵
PID:7184

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
148⤵
PID:8544

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
149⤵
PID:8744

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
150⤵
PID:8812

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
151⤵
PID:8200

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
152⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
153⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
154⤵
PID:8664

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
155⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
156⤵
PID:8756

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
157⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
158⤵
PID:8348

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
159⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
160⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
161⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
162⤵
PID:8484

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
163⤵
PID:8348

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
164⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
165⤵
PID:7820

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
166⤵
PID:8540

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
167⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
168⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
169⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
170⤵
PID:9164

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
171⤵
PID:8460

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
172⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
173⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
174⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
175⤵
PID:8760

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
176⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
177⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
178⤵
PID:9300

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
179⤵
PID:9476

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
180⤵
PID:9660

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
181⤵
PID:9828

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
182⤵
PID:10016

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
183⤵
PID:10196

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
184⤵
PID:8840

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
185⤵
PID:8540

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
186⤵
PID:9796

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
187⤵
PID:10080

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
188⤵
PID:10192

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
189⤵
PID:9412

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
190⤵
PID:8840

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
191⤵
PID:9292

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
192⤵
PID:9784

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
193⤵
PID:9332

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
194⤵
PID:9556

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
195⤵
PID:9660

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
196⤵
PID:9684

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
197⤵
PID:9332

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
198⤵
PID:9852

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
199⤵
PID:10084

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
200⤵
PID:9596

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
201⤵
PID:10220

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
202⤵
PID:10416

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
203⤵
PID:10608

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
204⤵
PID:10800

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
205⤵
PID:11008

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
206⤵
PID:11204

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
207⤵
PID:10384

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
208⤵
PID:10448

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
209⤵
PID:10920

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
210⤵
PID:11036

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
211⤵
PID:10928

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
212⤵
PID:11124

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
213⤵
PID:10600

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
214⤵
PID:11036

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
215⤵
PID:10364

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
216⤵
PID:11204

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
217⤵
PID:10736

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
218⤵
PID:10416

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
219⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
220⤵
PID:11164

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
221⤵
PID:11340

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
222⤵
PID:11512

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
223⤵
PID:11704

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
224⤵
PID:11912

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
225⤵
PID:12080

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
226⤵
PID:12264

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
227⤵
PID:11428

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
228⤵
PID:11648

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
229⤵
PID:11708

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
230⤵
PID:11644

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
231⤵
PID:11368

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
232⤵
PID:11772

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
233⤵
PID:11720

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
234⤵
PID:8052

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
235⤵
PID:11428

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
236⤵
PID:11824

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
237⤵
PID:11928

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
238⤵
PID:11720

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
239⤵
PID:11328

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
240⤵
PID:12240

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
241⤵
PID:11616

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
242⤵
PID:11412

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
243⤵
PID:12364

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
244⤵
PID:12548

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
245⤵
PID:12736

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
246⤵
PID:12928

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
247⤵
PID:13108

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
248⤵
PID:13296

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
249⤵
PID:12436

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
250⤵
PID:12564

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
251⤵
PID:12876

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
252⤵
PID:12672

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
253⤵
PID:9088

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
253⤵
PID:11824

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
252⤵
PID:13184

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
253⤵
PID:12300

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
251⤵
PID:8744

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
252⤵
- Modifies Windows Firewall
PID:12292

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
250⤵
PID:12704

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
251⤵
PID:12524

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
249⤵
PID:9976

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
250⤵
PID:12836

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
248⤵
PID:13304

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
249⤵
PID:12608

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
247⤵
PID:13116

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
248⤵
PID:12356

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
246⤵
PID:12936

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
247⤵
PID:13236

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
245⤵
PID:12748

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
246⤵
- Modifies Windows Firewall
PID:13048

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
244⤵
PID:12556

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
245⤵
PID:12864

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
243⤵
PID:12372

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
244⤵
PID:12668

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
242⤵
PID:8832

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
243⤵
PID:12468

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
241⤵
PID:11804

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
242⤵
- Modifies Windows Firewall
PID:12304

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
240⤵
PID:11808

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
241⤵
PID:11096

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
239⤵
PID:11688

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
240⤵
- Modifies Windows Firewall
PID:11532

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
238⤵
PID:10480

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
239⤵
PID:12264

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
237⤵
PID:11284

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
238⤵
- Modifies Windows Firewall
PID:11268

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
236⤵
PID:11624

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
237⤵
PID:11292

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
235⤵
PID:11368

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
236⤵
PID:11412

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
234⤵
PID:12064

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
235⤵
PID:11604

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
233⤵
PID:11648

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
234⤵
- Modifies Windows Firewall
PID:11460

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
232⤵
PID:11780

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
233⤵
PID:7336

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
231⤵
PID:940

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
232⤵
PID:11880

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
230⤵
PID:12224

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
231⤵
PID:12060

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
229⤵
PID:11968

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
230⤵
- Modifies Windows Firewall
PID:9976

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
228⤵
PID:11736

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
229⤵
PID:11836

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
227⤵
PID:11436

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
228⤵
PID:11732

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
226⤵
PID:12272

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
227⤵
- Modifies Windows Firewall
PID:11620

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
225⤵
PID:12088

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
226⤵
PID:10480

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
224⤵
PID:11920

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
225⤵
PID:12196

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
223⤵
PID:11712

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
224⤵
PID:12016

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
222⤵
PID:11524

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
223⤵
PID:11820

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
221⤵
PID:11348

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
222⤵
- Modifies Windows Firewall
PID:11636

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
220⤵
PID:6392

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
221⤵
PID:11452

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
219⤵
PID:11204

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
220⤵
PID:11272

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
218⤵
PID:10980

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
219⤵
PID:11208

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
217⤵
PID:10924

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
218⤵
PID:10712

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
216⤵
PID:10964

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
217⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
215⤵
PID:3036

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
216⤵
PID:6344

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
214⤵
PID:10936

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
215⤵
- Modifies Windows Firewall
PID:10572

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
213⤵
PID:10732

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
214⤵
PID:10500

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
212⤵
PID:10740

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
213⤵
- Modifies Windows Firewall
PID:11244

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
211⤵
PID:10488

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
212⤵
PID:10800

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
210⤵
PID:10128

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
211⤵
- Modifies Windows Firewall
PID:10324

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
209⤵
PID:10352

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
210⤵
PID:11192

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
208⤵
PID:10120

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
209⤵
PID:11084

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
207⤵
PID:5572

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
208⤵
PID:10864

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
206⤵
PID:11212

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
207⤵
- Modifies Windows Firewall
PID:10392

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
205⤵
PID:11016

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
206⤵
- Modifies Windows Firewall
PID:6192

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
204⤵
PID:10808

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
205⤵
PID:11116

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
203⤵
PID:10616

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
204⤵
PID:10924

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
202⤵
- Adds Run key to start application
PID:10424

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
203⤵
- Modifies Windows Firewall
PID:10728

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
201⤵
PID:10244

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
202⤵
PID:10544

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
200⤵
PID:9828

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
201⤵
PID:10352

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
199⤵
PID:9888

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
200⤵
PID:9332

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
198⤵
- Drops autorun.inf file
PID:10036

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
199⤵
PID:9976

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
197⤵
- Adds Run key to start application
PID:9368

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
198⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
196⤵
PID:9892

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
197⤵
- Modifies Windows Firewall
PID:9940

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
195⤵
- Adds Run key to start application
PID:9564

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
196⤵
- Modifies Windows Firewall
PID:9828

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
194⤵
PID:10000

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
195⤵
PID:5140

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
193⤵
- Drops autorun.inf file
PID:9752

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
194⤵
PID:8840

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
192⤵
- Adds Run key to start application
PID:2216

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
193⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
191⤵
PID:9492

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
192⤵
- Modifies Windows Firewall
PID:9524

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
190⤵
PID:9504

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
191⤵
- Modifies Windows Firewall
PID:9828

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
189⤵
PID:9964

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
190⤵
- Modifies Windows Firewall
PID:9684

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
188⤵
PID:10016

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
189⤵
PID:9548

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
187⤵
PID:10088

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
188⤵
PID:8920

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
186⤵
- Adds Run key to start application
PID:9780

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
187⤵
PID:10112

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
185⤵
PID:9472

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
186⤵
- Modifies Windows Firewall
PID:9896

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
184⤵
- Adds Run key to start application
PID:8912

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
185⤵
PID:9656

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
183⤵
- Adds Run key to start application
PID:10204

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
184⤵
PID:9448

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
182⤵
- Adds Run key to start application
PID:10024

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
183⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
181⤵
PID:9836

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
182⤵
PID:10132

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
180⤵
- Adds Run key to start application
PID:9668

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
181⤵
PID:9952

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
179⤵
- Drops autorun.inf file
PID:9484

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
180⤵
- Modifies Windows Firewall
PID:9768

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
178⤵
- Drops autorun.inf file
PID:9308

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
179⤵
PID:9600

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
177⤵
PID:4512

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
178⤵
PID:9416

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
176⤵
PID:8776

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
177⤵
PID:9244

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
175⤵
- Drops autorun.inf file
PID:1344

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
176⤵
- Modifies Windows Firewall
PID:8348

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
174⤵
- Adds Run key to start application
PID:8756

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
175⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
173⤵
PID:8228

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
174⤵
PID:8272

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
172⤵
PID:2664

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
173⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
171⤵
- Drops autorun.inf file
PID:2704

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
172⤵
- Modifies Windows Firewall
PID:1312

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
170⤵
- Adds Run key to start application
PID:8948

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
171⤵
PID:8024

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
169⤵
- Adds Run key to start application
PID:8360

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
170⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
168⤵
- Adds Run key to start application
PID:2680

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
169⤵
PID:6848

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
167⤵
- Adds Run key to start application
PID:9116

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
168⤵
- Modifies Windows Firewall
PID:7944

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
166⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:8704

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
167⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
165⤵
PID:3092

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
166⤵
PID:8404

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
164⤵
PID:8384

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
165⤵
- Modifies Windows Firewall
PID:9036

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
163⤵
PID:2708

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
164⤵
- Modifies Windows Firewall
PID:2516

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
162⤵
- Drops autorun.inf file
PID:848

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
163⤵
- Modifies Windows Firewall
PID:3944

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
161⤵
- Drops autorun.inf file
PID:1136

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
162⤵
PID:9056

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
160⤵
PID:7228

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
161⤵
PID:8024

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
159⤵
PID:944

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
160⤵
- Modifies Windows Firewall
PID:696

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
158⤵
- Adds Run key to start application
PID:3564

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
159⤵
PID:9156

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
157⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:336

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
158⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
156⤵
- Adds Run key to start application
PID:8408

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
157⤵
- Modifies Windows Firewall
PID:8680

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
155⤵
- Drops autorun.inf file
PID:2784

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
156⤵
- Modifies Windows Firewall
PID:2312

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
154⤵
- Adds Run key to start application
PID:8456

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
155⤵
- Modifies Windows Firewall
PID:9056

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
153⤵
- Adds Run key to start application
PID:8884

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
154⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
152⤵
PID:844

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
153⤵
PID:8240

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
151⤵
- Drops autorun.inf file
PID:7664

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
152⤵
PID:8480

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
150⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:8848

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
151⤵
PID:8364

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
149⤵
PID:8224

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
150⤵
PID:9032

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
148⤵
- Adds Run key to start application
PID:8552

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
149⤵
PID:8436

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
147⤵
PID:8264

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
148⤵
PID:8628

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
146⤵
PID:9180

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
147⤵
PID:8424

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
145⤵
- Drops autorun.inf file
PID:9004

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
146⤵
PID:7568

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
144⤵
- Drops autorun.inf file
PID:8820

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
145⤵
PID:9108

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
143⤵
PID:8640

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
144⤵
PID:8932

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
142⤵
PID:8464

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
143⤵
PID:8748

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
141⤵
PID:8288

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
142⤵
- Modifies Windows Firewall
PID:8576

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
140⤵
- Drops autorun.inf file
PID:7888

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
141⤵
PID:8392

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
139⤵
PID:7608

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
140⤵
PID:8216

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
138⤵
- Adds Run key to start application
PID:8096

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
139⤵
PID:7244

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
137⤵
PID:7940

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
138⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
136⤵
- Adds Run key to start application
PID:7296

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
137⤵
- Modifies Windows Firewall
PID:7984

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
135⤵
- Adds Run key to start application
PID:7372

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
136⤵
PID:7824

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
134⤵
PID:7696

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
135⤵
PID:7324

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
133⤵
PID:7152

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
134⤵
PID:7388

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
132⤵
- Adds Run key to start application
PID:7968

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
133⤵
- Modifies Windows Firewall
PID:7884

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
131⤵
- Adds Run key to start application
PID:6180

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
132⤵
PID:8184

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
130⤵
- Drops autorun.inf file
PID:7288

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
131⤵
PID:7616

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
129⤵
- Adds Run key to start application
PID:8112

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
130⤵
PID:7448

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
128⤵
- Drops autorun.inf file
PID:7680

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
129⤵
PID:8052

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
127⤵
- Drops autorun.inf file
PID:7528

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
128⤵
PID:7856

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
126⤵
PID:7376

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
127⤵
PID:7656

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
125⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:7116

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
126⤵
PID:7552

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
124⤵
PID:8028

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
125⤵
PID:7260

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
123⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:7844

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
124⤵
- Modifies Windows Firewall
PID:8136

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
122⤵
- Adds Run key to start application
PID:7668

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
123⤵
- Modifies Windows Firewall
PID:7956

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
121⤵
- Drops autorun.inf file
PID:7488

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
122⤵
PID:7780

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
120⤵
- Drops autorun.inf file
PID:7312

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
121⤵
- Modifies Windows Firewall
PID:7600

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
119⤵
PID:7156

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
120⤵
PID:7420

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
118⤵
- Adds Run key to start application
PID:6684

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
119⤵
- Modifies Windows Firewall
PID:7236

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
117⤵
PID:6228

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
118⤵
PID:6576

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
116⤵
PID:6680

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
117⤵
- Modifies Windows Firewall
PID:6180

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
115⤵
PID:6424

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
116⤵
PID:6948

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
114⤵
PID:7148

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
115⤵
PID:6988

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
113⤵
PID:6168

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
114⤵
- Modifies Windows Firewall
PID:5408

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
112⤵
PID:6484

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
113⤵
- Modifies Windows Firewall
PID:6320

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
111⤵
PID:1008

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
112⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
110⤵
PID:6816

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
111⤵
- Modifies Windows Firewall
PID:6324

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
109⤵
- Drops autorun.inf file
PID:6688

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
110⤵
- Modifies Windows Firewall
PID:7092

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
108⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:5592

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
109⤵
- Modifies Windows Firewall
PID:6384

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
107⤵
PID:5620

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
108⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
106⤵
- Adds Run key to start application
PID:7016

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
107⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
105⤵
PID:6828

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
106⤵
- Modifies Windows Firewall
PID:7124

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
104⤵
PID:6640

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
105⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
103⤵
PID:6448

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
104⤵
- Modifies Windows Firewall
PID:6756

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
102⤵
- Adds Run key to start application
PID:6264

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
103⤵
- Modifies Windows Firewall
PID:6556

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
101⤵
- Drops autorun.inf file
PID:5644

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
102⤵
PID:6380

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
100⤵
- Adds Run key to start application
PID:5312

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
101⤵
- Modifies Windows Firewall
PID:6176

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
99⤵
PID:6132

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
100⤵
- Modifies Windows Firewall
PID:5900

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
98⤵
PID:2696

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
99⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
97⤵
PID:5536

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
98⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
96⤵
- Adds Run key to start application
PID:5960

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
97⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
95⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:5264

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
96⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
94⤵
PID:5500

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
95⤵
PID:5276

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
93⤵
- Drops autorun.inf file
PID:5568

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
94⤵
PID:5624

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
92⤵
PID:5432

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
93⤵
PID:5252

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
91⤵
- Drops autorun.inf file
PID:1988

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
92⤵
- Modifies Windows Firewall
PID:5752

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
90⤵
- Adds Run key to start application
PID:5436

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
91⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
89⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:5716

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
90⤵
- Modifies Windows Firewall
PID:5964

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
88⤵
PID:5416

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
89⤵
PID:5556

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
87⤵
PID:5176

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
88⤵
PID:5588

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
86⤵
PID:5812

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
87⤵
- Modifies Windows Firewall
PID:5132

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
85⤵
- Adds Run key to start application
PID:5228

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
86⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
84⤵
- Drops autorun.inf file
PID:5528

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
85⤵
- Modifies Windows Firewall
PID:5864

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
83⤵
- Drops autorun.inf file
PID:1044

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
84⤵
- Modifies Windows Firewall
PID:5616

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
82⤵
- Drops autorun.inf file
PID:6136

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
83⤵
PID:5436

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
81⤵
PID:5968

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
82⤵
PID:5216

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
80⤵
- Drops autorun.inf file
PID:5796

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
81⤵
PID:6068

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
79⤵
PID:5628

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
80⤵
- Modifies Windows Firewall
PID:5900

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
78⤵
- Adds Run key to start application
PID:5456

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
79⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
77⤵
PID:5288

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
78⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
76⤵
- Adds Run key to start application
PID:4180

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
77⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
75⤵
- Adds Run key to start application
PID:4768

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
76⤵
PID:5220

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
74⤵
PID:4888

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
75⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
73⤵
PID:5104

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
74⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
72⤵
- Adds Run key to start application
PID:3144

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
73⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
71⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:4788

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
72⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
70⤵
PID:4936

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
71⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
69⤵
- Drops autorun.inf file
PID:4560

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
70⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
68⤵
PID:2636

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
69⤵
- Modifies Windows Firewall
PID:4280

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
67⤵
- Adds Run key to start application
- Drops autorun.inf file
PID:4484

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
68⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
66⤵
PID:4912

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
67⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
65⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
66⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
65⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
64⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
62⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
63⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
62⤵
- Modifies Windows Firewall
PID:4676

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
61⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
60⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
59⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
57⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
58⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
57⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
55⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
56⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
54⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
55⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
53⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
54⤵
- Modifies Windows Firewall
PID:4560

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
53⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
52⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
51⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
50⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
48⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
49⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
48⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
46⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
47⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
45⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
46⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
45⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
43⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
44⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
43⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
42⤵
- Modifies Windows Firewall
PID:3136

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
40⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
41⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
40⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
38⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
39⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
38⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
37⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
35⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
36⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
35⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
33⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
34⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
32⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
33⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
32⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
31⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
29⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
30⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
28⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
29⤵
- Modifies Windows Firewall
PID:3664

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
27⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
28⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
26⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
27⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
26⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
24⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
25⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
23⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
24⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
22⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
23⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
21⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
22⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
20⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
21⤵
- Modifies Windows Firewall
PID:3452

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 592
20⤵
- Loads dropped DLL
PID:2248

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
18⤵
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
19⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 448
18⤵
- Loads dropped DLL
PID:1720

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
17⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 484
16⤵
- Loads dropped DLL
PID:2608

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
14⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
15⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
13⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 448
14⤵
- Loads dropped DLL
PID:2208

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
13⤵
- Modifies Windows Firewall
PID:804

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 556
12⤵
- Loads dropped DLL
PID:2800

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
11⤵
PID:1680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 756
11⤵
- Loads dropped DLL
PID:2372

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 500
10⤵
- Loads dropped DLL
PID:964

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
9⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 632
9⤵
- Loads dropped DLL
PID:2464

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 444
8⤵
- Loads dropped DLL
PID:320

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
7⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 780
7⤵
- Loads dropped DLL
PID:2936

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 456
6⤵
- Loads dropped DLL
PID:2032

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 628
5⤵
- Loads dropped DLL
PID:772

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
4⤵
- Modifies Windows Firewall
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 772
4⤵
- Loads dropped DLL
PID:2728

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 572
3⤵
- Loads dropped DLL
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-549707372-2628346891331245724-13082765862091225402-53906973613939001871834518123"
1⤵
PID:804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11536313708799438442017379529-16554675883456718211314171361-760137374-1717077439"
1⤵
PID:3168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1043987661-710423404-20427056031496499535-6310878241603393228-1916148151-1997293299"
1⤵
PID:3324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1860107569-662585351738378917-652335106-212652199717525786931647102342-1462846933"
1⤵
PID:4752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-411666662-1751361135-1183510562-1853172180-358214875-18336381451220587510964699134"
1⤵
PID:4264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-643035334199390561-872879538493539717-16446444631396589144913379261-364730474"
1⤵
PID:856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "141040382156495517327980311-12600766531466742159033224581248507746-509631417"
1⤵
PID:5220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2092504791-5943344172086143565-109074371413233065161029582805-1821831691919787181"
1⤵
PID:5216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "168360081320458414471474604400-1238722726-10619150542827454881327787321937569772"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10112734071267476395586725283-1486777935-11812847431466977383-1041406710873541739"
1⤵
PID:5864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "281282672-1317345232768571911-1867511804477898198-2358033068374475751920970725"
1⤵
PID:5132

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:5900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10890699662013739316248433846-1670823814493240711599727591819399407-1235359657"
1⤵
PID:7480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "129133137320694085-46708592-858369067-7279261983444735251157766081-1229179652"
1⤵
PID:7780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1512304783482048576-198146648619018160111553491289-1933019926347531229-1006535483"
1⤵
PID:7884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1310467830515713973286850155-1219409561-15093689271538474957-18931923282142604956"
1⤵
PID:7524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-201473970406825928-1353977453-15427017978709063-10797593661542026373-1148200600"
1⤵
PID:8424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "200866199-19499132697220967711349264807-1679411000675472599-332767798-426067665"
1⤵
PID:8628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "609967482134560760261598076734929982010285017001484535455-1546354677-322172623"
1⤵
PID:7568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "644946535-1720618752354072920-1120898533310460743188612458296182654981625491"
1⤵
PID:8680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2095534442052688759-970402272-2113804549-2226292011749568171-973092862-1589087206"
1⤵
PID:8272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5443683461169253937-6400846387700751262100594329-533617356578136100-1028540785"
1⤵
PID:4668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-221629376-115776995508091078-16459951611305980996-873738099-747197299-27027829"
1⤵
PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BlackData.dat
Filesize
3B

MD5
93cba07454f06a4a960172bbd6e2a435

SHA1
5397e0583f14f6c88de06b1ef28f460a1fb5b0ae

SHA256
85a39ab345d672ff8ca9b9c6876f3adcacf45ee7c1e2dbd2408fd338bd55e07e

SHA512
6b99acba1e4e469610f9227829648fa52e7ad463f22568f0a04188f2d465a585ba077f12d1a527674c338470e79665fd16e54f25553482cddd85845232d186f9

Download Submit
C:\Users\Admin\Documents\My Music\autorun.inf
Filesize
287B

MD5
15755ea8c0f620cfdaf9ada425e6b4c2

SHA1
868d9aca932d7a1a0d26ba19d613e34f3325a4eb

SHA256
3ae21c30b4273c6dfcc5841aaa18d776e53dd9dd9458051cb5457e25af4250fe

SHA512
6a44ff83fcf9d22fe1d06d3333be2bcfd45df0a9bc449cdf857d255c69d88497efc8c00c6a4ba383da6ebd7d422e87fea2e78ad62ec678fa3dc1aac29e34fae9

Download Submit
C:\Users\Admin\Pictures\autorun.inf
Filesize
299B

MD5
d7111cd7ccdee778d8261d4e03614a85

SHA1
f88c30e0403764b7384e3ef64cb54a1c2f5121f4

SHA256
6ad6f66d55b492f4f982a1bbe9ba99b20f3c77b93285cca02ca7843642336aa3

SHA512
15578fff5e7ee767edeaa4da93a66b2a634d8caa7a0a06223481fa6ab1c97c64f3871a36550406bc29f2e1262bb01e282d022cd55e9e7aa8ce9745fa3037c5b1

Download Submit
C:\Users\Admin\Videos\autorun.inf
Filesize
291B

MD5
5cda9292cfaacb554b5ddda7a5d8daa0

SHA1
05d78ca665e4186a6245c29c9b392e090a9d0937

SHA256
8cbbcbdb2618fb7eaf7e09ceceee1c9d0cbdf609e4f0fc9a6a2de71912ceb174

SHA512
825381e97b7a0458898f27a95584affa011d1038a380a3e19c81cb04a80bbb9924536fa6c53dbde073d371de2918ede9a0e2427b9227888ce208b6ac50accdba

Download Submit
\Users\Admin\AppData\Local\Temp\firewall.exe
Filesize
40KB

MD5
085242fc50844dc41d1966e620d3e121

SHA1
5e9a343256313938468d5d4fb92e39c5ef6f8c91

SHA256
180b8e0169f2c89d3b4f34d3ee5b26f5578211068be74cf9c2fd194d8cda9b3d

SHA512
3341c74802aa98ce2bd7b15d2921d3082110c62ee6d82df784cb610c1594d905c82c6ae79cf43d76f98db7a8a4951686898ba1dddeb9615fca6480ac6bb7887b

Download Submit
memory/2884-7-0x0000000074631000-0x0000000074632000-memory.dmp

Filesize
4KB

Download
memory/2884-12-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2884-11-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2884-1136-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download