chimera | hxxps://github[.]com/enginestein/Virus-Collection

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WScript.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\root\Office16\Winword.exe is not expected to spawn this process	3724	856	OfficeC2RClient.exe	138
Parent C:\Program Files\Microsoft Office\root\Office16\Winword.exe is not expected to spawn this process	7048	6012	OfficeC2RClient.exe	294
Parent C:\Program Files\Microsoft Office\root\Office16\Winword.exe is not expected to spawn this process	712	6284	OfficeC2RClient.exe	1388

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000025cb8-11287.dat	family_quasar

Renames multiple (3271) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Contacts a large (1117) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Downloads MZ/PE file 36 IoCs

flow	pid	Process
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
91	5032	firefox.exe
3505	5032	firefox.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral1/files/0x000e00000002b752-15852.dat	office_xlm_macros

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.a.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
3324	AgentTesla.exe
5596	HawkEye.exe
5508	ATTWorm Cracked.exe
2480	CrimsonRAT.exe
1896	dlrarhsiva.exe
2472	VanToM-Rat.bat
1472	Server.exe
4972	Vista.exe
1976	QuikNEZUpdater.exe
2828	Apex.exe
3052	nzm.exe
1696	winrvs.exe
1796	winrvs.exe
1612	winrvs.exe
4224	YouAreAnIdiot.exe
3348	winrvs.exe
4004	winrvs.exe
4612	winrvs.exe
5568	ExeStealth.exe
5588	winrvs.exe
712	ExeS.exe
6936	winrvs.exe
7040	Packman.exe
6384	winrvs.exe
6524	yP.exe
6376	winrvs.exe
5552	MD5ChecksumTest.exe
1456	winrvs.exe
7032	winrvs.exe
6280	windows vista key generation.exe
1884	winrvs.exe
2736	Mabezat.exe
4908	winrvs.exe
5720	Mabezat(1).exe
6900	winrvs.exe
4772	Floxif.exe
5960	winrvs.exe
7076	winrvs.exe
7132	winrvs.exe
3460	EternalRocks.exe
6684	winrvs.exe
4680	Opaserv.l.exe
5628	msload.exe
2692	Rahack.exe
6188	winrvs.exe
5684	winrvs.exe
6624	Bugsoft.exe
2640	winrvs.exe
6944	Amus.exe
5956	Anap.a.exe
248	winrvs.exe
2100	Axam.a.exe
1760	winrvs.exe
6744	Axam.exe
3848	Axam.exe
2748	winrvs.exe
940	winrvs.exe
6628	winrvs.exe
5532	Axam.exe
5728	winrvs.exe
6032	Axam.exe
3124	winrvs.exe
6440	Axam.exe
1292	winrvs.exe

Loads dropped DLL 1 IoCs

pid	Process
4772	Floxif.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\LoadManager = "c:\\windows\\system\\msload.exe"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\BACKGROUNDTASKHOST = "C:\\WINDOWS\\BACKGROUNDTASKHOST.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\CLIPBOARDSERVER = "C:\\WINDOWS\\CLIPBOARDSERVER.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe"	Amus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ACSPECFC = "C:\\WINDOWS\\ACSPECFC.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsrv = "c:\\windows\\system\\winsrv.exe"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CASTINGSHELLEXT = "C:\\WINDOWS\\CASTINGSHELLEXT.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\APPRESOLVER = "C:\\WINDOWS\\APPRESOLVER.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MPREXE = "C:\\WINDOWS\\MPREXE.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scr = "c:\\windows\\system\\scr.scr"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	AgentTesla.exe
File opened for modification	C:\Program Files\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	AgentTesla.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
45	camo.githubusercontent.com
91	raw.githubusercontent.com
142	camo.githubusercontent.com
45	raw.githubusercontent.com
55	camo.githubusercontent.com
56	raw.githubusercontent.com
56	camo.githubusercontent.com
3505	raw.githubusercontent.com
55	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	bot.whatismyipaddress.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AutoRun.inf	WScript.exe
File opened for modification	C:\AutoRun.inf	WScript.exe
File created	F:\AutoRun.inf	WScript.exe
File opened for modification	F:\AutoRun.inf	WScript.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	Process not Found
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	Process not Found
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	nzm.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\System32\Administrator.vbs	WScript.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\System32\Administrator.vbs	WScript.exe
File created	C:\Windows\SysWOW64\winrvs.exe	nzm.exe
File created	C:\Windows\SysWOW64\winrvs.exe:Zone.Identifier:$DATA	nzm.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	Process not Found
File created	C:\Windows\SysWOW64\winrvs.exe	Process not Found
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File created	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	winrvs.exe
File opened for modification	C:\Windows\SysWOW64\winrvs.exe	Process not Found
File created	C:\Windows\SysWOW64\winrvs.exe	Process not Found
File created	C:\Windows\System32\Administrator.ini	WScript.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001200000002b518-13398.dat	upx
behavioral1/memory/6280-13428-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/6280-13429-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/4772-13651-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4772-13655-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x000e00000002b65a-14521.dat	upx
behavioral1/files/0x000e00000002b6a7-14891.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\FloatingPicker.js	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\osDetector.js	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_contrast-black.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Icons\StickyNotesBadgeLogo.scale-125_contrast-white.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-100.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.scale-125.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\HoloAssets\HoloLens_HeadTracking.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\initializeFocusRects.js	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CameraAppList.scale-125.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-lightunplated.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-150.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Illustration_Seasons_Fall_Right.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\ui-strings.js	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-100_contrast-white.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsSplashScreen.scale-125_contrast-white.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-unplated.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-250.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\AppxManifest.xml	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardTitle.styles.js	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-hover_32.svg	AgentTesla.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.4_2.42007.9001.0_x64__8wekyb3d8bbwe\AppxManifest.xml	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-32_contrast-white.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view-2x.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_signed_out.svg	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-400.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-40_altform-lightunplated.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-60_altform-lightunplated.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-125_contrast-white.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256_altform-lightunplated.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsSplashScreen.scale-100_altform-colorful.png	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsWideTile.scale-125.png	AgentTesla.exe
File created	C:\Program Files (x86)\limewire\Shared\Super Mario.exe	Axam.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-256_altform-unplated.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\ExeStealth\ExeS.dpr	ExeStealth.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsSmallTile.scale-100_contrast-white.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_contrast-black.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	WScript.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib\concatStyleSets.js	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare150x150Logo.scale-400.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	WScript.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluError_136x136.svg	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\ui-strings.js	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\plugin.js	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-150.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\sat_logo.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe

Drops file in Windows directory 53 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\MPREXE.EXE	Opaserv.l.exe
File created	C:\WINDOWS\ACSPECFC.EXE	Opaserv.l.exe
File created	C:\WINDOWS\CLIPBOARDSERVER.EXE	Opaserv.l.exe
File opened for modification	C:\Windows\Cekirge.exe	Amus.exe
File opened for modification	C:\Windows\Ankara.exe	Amus.exe
File created	C:\WINDOWS\CASTINGSHELLEXT.EXE	Opaserv.l.exe
File created	C:\Windows\Ankara.exe	Amus.exe
File opened for modification	C:\WINDOWS\MPREXE.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	Opaserv.l.exe
File opened for modification	C:\WINDOWS\ACSPECFC.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\CASTINGSHELLEXT.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\MPREXE.EXE	msload.exe
File opened for modification	C:\Windows\My_Pictures.exe	Amus.exe
File created	C:\Windows\Meydanbasi.exe	Amus.exe
File created	C:\Windows\Pide.exe	Amus.exe
File created	\??\c:\windows\system\msload.exe	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\scr.scr	msload.exe
File created	C:\Windows\My_Pictures.exe	Amus.exe
File created	C:\Windows\Adapazari.exe	Amus.exe
File created	C:\Windows\Anti_Virus.exe	Amus.exe
File opened for modification	C:\Windows\Pide.exe	Amus.exe
File created	C:\Windows\Pire.exe	Amus.exe
File opened for modification	C:\Windows\Pire.exe	Amus.exe
File created	C:\Windows\Cekirge.exe	Amus.exe
File opened for modification	C:\Windows\mscat32.dll	Opaserv.l.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	\??\c:\windows\system\msload.exe	msload.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	msload.exe
File opened for modification	C:\Windows\Administrator.vbs	WScript.exe
File created	\??\c:\windows\system\winsrv.exe	Opaserv.l.exe
File opened for modification	C:\Windows\Meydanbasi.exe	Amus.exe
File opened for modification	C:\Windows\Anti_Virus.exe	Amus.exe
File created	C:\Windows\Administrator.vbs	WScript.exe
File opened for modification	C:\WINDOWS\BACKGROUNDTASKHOST.EXE	Opaserv.l.exe
File created	\??\c:\windows\jk.bat	Bugsoft.exe
File created	C:\Windows\KdzEregli.exe	Amus.exe
File opened for modification	C:\Windows\Adapazari.exe	Amus.exe
File created	\??\c:\windows\system\scr.scr	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\scr.scr	Opaserv.l.exe
File created	C:\WINDOWS\BACKGROUNDTASKHOST.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\CLIPBOARDSERVER.EXE	Opaserv.l.exe
File created	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	\??\c:\windows\system\msload.exe	Opaserv.l.exe
File created	C:\WINDOWS\APPRESOLVER.EXE	Opaserv.l.exe
File opened for modification	C:\Windows\Messenger.exe	Amus.exe
File created	C:\WINDOWS\MPREXE.EXE	Opaserv.l.exe
File created	\??\c:\windows\mail.vbs	Bugsoft.exe
File opened for modification	C:\Windows\KdzEregli.exe	Amus.exe
File opened for modification	C:\WINDOWS\APPRESOLVER.EXE	Opaserv.l.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\MSBIND.DLL	Opaserv.l.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 38 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\YouAreAnIdiot.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bugsoft.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ExeStealth.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Packman.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Mabezat.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Axam.a.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Floxif.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Opaserv.l.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Krotten(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ATTWorm Cracked.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CodeRed.a.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Anap.a.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MyDoom.A.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Pikachu.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Krotten(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\EternalRocks.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\encrypt.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MD5ChecksumTest.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Rahack.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Krotten(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MeltingScreen.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Apex.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\nzm.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\yP.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\windows vista key generation.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\upx.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Quamo.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Vista.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\QuikNEZUpdater.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Mabezat(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
5616	4224	WerFault.exe	131
2004	4772	WerFault.exe	174
7704	4680	WerFault.exe	183
8080	4680	WerFault.exe	183
7744	976	WerFault.exe	1407

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "139818350"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31159327"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133827963268504333"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0 = 540031000000000047590e5f10004368726f6d6500003e0009000400efbe47590c5f3f5ae1582e0000005ba50200000001000000000000000000000000000000f40705004300680072006f006d006500000016000000	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Applications\chrome.exe\shell\open\command	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "13"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 540031000000000047590c5f1000476f6f676c6500003e0009000400efbe47590c5f3f5ac7582e0000005aa502000000010000000000000000000000000000001f00a00047006f006f0067006c006500000016000000	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	ExeS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.exe

NTFS ADS 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\ATTWorm Cracked.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\file_virus.bat:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Floxif.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(27).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Pikachu.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\trickbot(2).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Krotten(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Zloader(3).xlsm:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Mabezat.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(34).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\nzm.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MyDoom.A.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(23).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Apex.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Anap.a.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(36).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\trickbot(1).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(4).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(17).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\HeadTail.vbs:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA	VanToM-Rat.bat
File created	C:\Users\Admin\Downloads\trickbot.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Zloader.xlsm:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ExeStealth.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\encrypt.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MeltingScreen.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(29).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(39).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\trickbot(3).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(20).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\trickbot(7).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Krotten(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Win32.QuasarRAT.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\EternalRocks.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\trickbot(4).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(1).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(13).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Mabezat(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DComExploit.exe.vir:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c (1):Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\QuikNEZUpdater.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(2).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\SANS_ Malware FAQ_ What is W32_Blaster worm_.mht:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(3).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(45).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Vista.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(44).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\smb-onil0o36.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(33).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Axam.a.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Zloader(4).xlsm:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151(22).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\windows vista key generation.exe:Zone.Identifier	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe
1472	Server.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
1472	Server.exe
1676	OpenWith.exe
2988	OpenWith.exe
5032	firefox.exe
6676	OpenWith.exe
6668	OpenWith.exe
4024	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
7928	chrome.exe
7928	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4520	firefox.exe
Token: SeDebugPrivilege	4520	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5596	HawkEye.exe
Token: SeDebugPrivilege	760	iexplore.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: 33	1972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1972	AUDIODG.EXE
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	1472	Server.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	4772	Floxif.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	4680	Opaserv.l.exe
Token: SeDebugPrivilege	5628	msload.exe
Token: SeShutdownPrivilege	5628	msload.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: 33	5816	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5816	AUDIODG.EXE
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
2472	VanToM-Rat.bat
1472	Server.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
6280	windows vista key generation.exe
6280	windows vista key generation.exe
6280	windows vista key generation.exe
7928	chrome.exe
7928	chrome.exe
7928	chrome.exe
7928	chrome.exe
7928	chrome.exe
7928	chrome.exe
7928	chrome.exe
7928	chrome.exe
7928	chrome.exe
7928	chrome.exe
7928	chrome.exe
7928	chrome.exe
5032	firefox.exe
5032	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4520	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
3324	AgentTesla.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
760	iexplore.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 4520	856	firefox.exe	79
PID 856 wrote to memory of 4520	856	firefox.exe	79
PID 856 wrote to memory of 4520	856	firefox.exe	79
PID 856 wrote to memory of 4520	856	firefox.exe	79
PID 856 wrote to memory of 4520	856	firefox.exe	79
PID 856 wrote to memory of 4520	856	firefox.exe	79
PID 856 wrote to memory of 4520	856	firefox.exe	79
PID 856 wrote to memory of 4520	856	firefox.exe	79
PID 856 wrote to memory of 4520	856	firefox.exe	79
PID 856 wrote to memory of 4520	856	firefox.exe	79
PID 856 wrote to memory of 4520	856	firefox.exe	79
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 4556	4520	firefox.exe	80
PID 4520 wrote to memory of 2712	4520	firefox.exe	81
PID 4520 wrote to memory of 2712	4520	firefox.exe	81
PID 4520 wrote to memory of 2712	4520	firefox.exe	81
PID 4520 wrote to memory of 2712	4520	firefox.exe	81
PID 4520 wrote to memory of 2712	4520	firefox.exe	81
PID 4520 wrote to memory of 2712	4520	firefox.exe	81
PID 4520 wrote to memory of 2712	4520	firefox.exe	81
PID 4520 wrote to memory of 2712	4520	firefox.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/enginestein/Virus-Collection"
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/enginestein/Virus-Collection
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1892 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1343e34-bc15-4ba3-9176-ca1bf8c80aaf} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" gpu
    3⤵
    PID:4556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05b5ec0d-5e26-4a5f-99ed-be8450bdcfa5} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" socket
    3⤵
    - Checks processor information in registry
    PID:2712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2984 -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3112 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de3db1a2-f1b6-4c2c-8b79-8fed21f81e79} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" tab
    3⤵
    PID:4024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3616 -childID 2 -isForBrowser -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98a2ad29-f471-4063-be9e-7d54956bb625} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" tab
    3⤵
    PID:4156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4024 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4176 -prefMapHandle 4148 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f7aa8d3-b9a7-45c6-b115-49d2c74e8a33} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" utility
    3⤵
    - Checks processor information in registry
    PID:1636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5280 -prefMapHandle 5276 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {385f2a7c-e549-4880-883d-e2e7c1838728} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" tab
    3⤵
    PID:2140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f68602b3-ac0f-4484-9f10-82e274384478} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" tab
    3⤵
    PID:3572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a98e757-db67-495b-83aa-c81dd2708321} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" tab
    3⤵
    PID:3664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:3136
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      Downloads MZ/PE file
      Subvert Trust Controls: Mark-of-the-Web Bypass
      Checks processor information in registry
      NTFS ADS
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:5032
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20240401114208 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 20321 -prefMapSize 241207 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09b73b9b-4095-4970-80ab-0ccec42d96cc} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" gpu
        5⤵
        
        PID:4576
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20240401114208 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20321 -prefMapSize 241207 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1a1e200-ea4c-4029-b821-f7df2365ed1d} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" socket
        5⤵
        
        PID:3080
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3624 -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3096 -prefsLen 25714 -prefMapSize 241207 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b63b211-001f-4bff-b3e2-46f53ca0a7a4} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
        5⤵
        
        PID:32
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3924 -prefsLen 26534 -prefMapSize 241207 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {450348fc-8fe4-4cf4-91cb-4fef517e50e3} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
        5⤵
        
        PID:4012
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4428 -childID 3 -isForBrowser -prefsHandle 4420 -prefMapHandle 4416 -prefsLen 27719 -prefMapSize 241207 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f50520bb-40b1-4916-a2e0-132c334764b8} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
        5⤵
        
        PID:2744
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2408 -prefMapHandle 3084 -prefsLen 33770 -prefMapSize 241207 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42f20c8d-d526-4cb0-8fb4-b56c21575f7f} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" utility
        5⤵
        Checks processor information in registry
        
        PID:4684
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -parentBuildID 20240401114208 -prefsHandle 5244 -prefMapHandle 5832 -prefsLen 38243 -prefMapSize 241207 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f33acef5-fa14-4485-92db-47b55cffa40f} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" rdd
        5⤵
        
        PID:5732
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3732 -childID 4 -isForBrowser -prefsHandle 3056 -prefMapHandle 3052 -prefsLen 32842 -prefMapSize 241207 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd3fa469-ea17-4ebb-aa68-31eb81fb130b} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
        5⤵
        
        PID:6020
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3640 -childID 5 -isForBrowser -prefsHandle 4280 -prefMapHandle 4416 -prefsLen 32842 -prefMapSize 241207 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {449812db-d0e4-4769-a2f6-2f675969f13b} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
        5⤵
        
        PID:872
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 6 -isForBrowser -prefsHandle 5344 -prefMapHandle 5716 -prefsLen 32842 -prefMapSize 241207 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a24d696-6dda-4878-96ac-e980ffef66a2} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
        5⤵
        
        PID:3388
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6108 -childID 7 -isForBrowser -prefsHandle 6032 -prefMapHandle 6036 -prefsLen 32842 -prefMapSize 241207 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {604658f9-5edb-434e-b9c9-d8a018c8cb3c} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
        5⤵
        
        PID:4396
    - - C:\Users\Admin\Downloads\AgentTesla.exe
        
        "C:\Users\Admin\Downloads\AgentTesla.exe"
        5⤵
        Chimera
        Executes dropped EXE
        Drops desktop.ini file(s)
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:760
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6836 -childID 8 -isForBrowser -prefsHandle 6636 -prefMapHandle 6628 -prefsLen 33936 -prefMapSize 241207 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82f8e0ce-2d43-43c2-bcae-1a82f659d466} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
        5⤵
        
        PID:3272
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4324 -childID 9 -isForBrowser -prefsHandle 6948 -prefMapHandle 5252 -prefsLen 33936 -prefMapSize 241207 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a22e18a-12e0-4d56-a0b6-33ec3ebdbbca} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
        5⤵
        
        PID:4864
    - - C:\Users\Admin\Downloads\MD5ChecksumTest.exe
        
        "C:\Users\Admin\Downloads\MD5ChecksumTest.exe"
        5⤵
        Executes dropped EXE
        
        PID:5552
    - - C:\Users\Admin\Downloads\windows vista key generation.exe
        
        "C:\Users\Admin\Downloads\windows vista key generation.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:6280
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:6444
    - - C:\Users\Admin\Downloads\Mabezat.exe
        
        "C:\Users\Admin\Downloads\Mabezat.exe"
        5⤵
        Executes dropped EXE
        
        PID:2736
    - - C:\Users\Admin\Downloads\Mabezat(1).exe
        
        "C:\Users\Admin\Downloads\Mabezat(1).exe"
        5⤵
        Executes dropped EXE
        
        PID:5720
    - - C:\Users\Admin\Downloads\Floxif.exe
        
        "C:\Users\Admin\Downloads\Floxif.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 468
        6⤵
        Program crash
        
        PID:2004
    - - C:\Users\Admin\Downloads\EternalRocks.exe
        
        "C:\Users\Admin\Downloads\EternalRocks.exe"
        5⤵
        Executes dropped EXE
        
        PID:3460
    - - C:\Users\Admin\Downloads\Opaserv.l.exe
        
        "C:\Users\Admin\Downloads\Opaserv.l.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
      - C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        7⤵
        
        PID:4824
      - C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        6⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        7⤵
        
        PID:5504
      - C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        6⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5536
      - C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        6⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        7⤵
        
        PID:5116
      - C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        6⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        7⤵
        
        PID:6452
      - C:\WINDOWS\system\msload.exe
        
        C:\WINDOWS\system\msload.exe
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5628
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:408
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:240
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7152
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7160
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:912
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:32
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:408
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6412
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:892
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:976
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6768
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:488
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:488
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6792
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:792
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6220
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:912
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7100
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:856
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7080
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:32
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:652
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:720
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:712
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7044
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:32
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6836
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:652
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7584
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:976
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7292
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7672
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7388
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6324
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:856
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:236
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7948
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6156
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:856
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7856
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7244
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:676
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:124
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:756
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP NAVAPSVC
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7216
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP PERSFW
        8⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP AVPCC
        8⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP MCSHIELD
        8⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
        8⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP NAVAPSVC
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP PERSFW
        7⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP AVPCC
        7⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP MCSHIELD
        7⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\NET.exe
        
        NET STOP SWEEPSRV.SYS
        7⤵
        
        PID:7424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1796
        6⤵
        Program crash
        
        PID:7704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1812
        6⤵
        Program crash
        
        PID:8080
    - - C:\Users\Admin\Downloads\Rahack.exe
        
        "C:\Users\Admin\Downloads\Rahack.exe"
        5⤵
        Executes dropped EXE
        
        PID:2692
    - - C:\Users\Admin\Downloads\Bugsoft.exe
        
        "C:\Users\Admin\Downloads\Bugsoft.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:6624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\jk.bat
        6⤵
        
        PID:4824
    - - C:\Users\Admin\Downloads\Amus.exe
        
        "C:\Users\Admin\Downloads\Amus.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:6944
    - - C:\Users\Admin\Downloads\Anap.a.exe
        
        "C:\Users\Admin\Downloads\Anap.a.exe"
        5⤵
        Executes dropped EXE
        
        PID:5956
    - - C:\Users\Admin\Downloads\Axam.a.exe
        
        "C:\Users\Admin\Downloads\Axam.a.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2100
    - - C:\Users\Admin\AppData\Roaming\Axam.exe
        
        "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\MyDoom.A.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        
        PID:6744
    - - C:\Users\Admin\AppData\Roaming\Axam.exe
        
        "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\Pikachu.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3848
    - - C:\Users\Admin\AppData\Roaming\Axam.exe
        
        "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\upx.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5532
    - - C:\Users\Admin\AppData\Roaming\Axam.exe
        
        "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\encrypt.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:6032
    - - C:\Users\Admin\AppData\Roaming\Axam.exe
        
        "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\Fantom.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        
        PID:6440
    - - C:\Users\Admin\AppData\Roaming\Axam.exe
        
        "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\Krotten(3).exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Modifies registry class
        
        PID:5100
    - - C:\Users\Admin\AppData\Roaming\Axam.exe
        
        "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\PolyRansom.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Modifies registry class
        
        PID:4460
    - - C:\Users\Admin\AppData\Roaming\Axam.exe
        
        "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\PolyRansom.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Modifies registry class
        
        PID:6240
    - - C:\Users\Admin\AppData\Roaming\Axam.exe
        
        "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\MeltingScreen.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Modifies registry class
        
        PID:7144
    - - C:\Users\Admin\AppData\Roaming\Axam.exe
        
        "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\Quamo.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        
        PID:6964
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1372 -childID 10 -isForBrowser -prefsHandle 7996 -prefMapHandle 8028 -prefsLen 40225 -prefMapSize 241207 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93fb15be-1078-41a6-b364-5cda241bf42e} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
        5⤵
        
        PID:3672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2188

C:\Users\Admin\Downloads\HawkEye.exe
"C:\Users\Admin\Downloads\HawkEye.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5596

C:\Users\Admin\Downloads\ATTWorm Cracked.exe
"C:\Users\Admin\Downloads\ATTWorm Cracked.exe"
1⤵
- Executes dropped EXE
PID:5508

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\HeadTail.vbs"
1⤵
- Chimera
- Modifies visiblity of hidden/system files in Explorer
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\SANS_ Malware FAQ_ What is W32_Blaster worm_.mht
1⤵
- Modifies Internet Explorer settings
PID:5604

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Executes dropped EXE
PID:2480
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:1896

C:\Users\Admin\Downloads\VanToM-Rat.bat
"C:\Users\Admin\Downloads\VanToM-Rat.bat"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
PID:2472
- C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
  "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1472

C:\Users\Admin\Downloads\Vista.exe
"C:\Users\Admin\Downloads\Vista.exe"
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\file_virus.bat" "
1⤵
PID:3572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Users\Admin\Downloads\QuikNEZUpdater.exe
"C:\Users\Admin\Downloads\QuikNEZUpdater.exe"
1⤵
- Executes dropped EXE
PID:1976

C:\Users\Admin\Downloads\Apex.exe
"C:\Users\Admin\Downloads\Apex.exe"
1⤵
- Executes dropped EXE
PID:2828

C:\Users\Admin\Downloads\nzm.exe
"C:\Users\Admin\Downloads\nzm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052
- C:\Windows\SysWOW64\winrvs.exe
  C:\Windows\system32\winrvs.exe 1252 "C:\Users\Admin\Downloads\nzm.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1696
- - C:\Windows\SysWOW64\winrvs.exe
    C:\Windows\system32\winrvs.exe 1192 "C:\Windows\SysWOW64\winrvs.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1796
  - - C:\Windows\SysWOW64\winrvs.exe
      C:\Windows\system32\winrvs.exe 1172 "C:\Windows\SysWOW64\winrvs.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1612
    - - C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1176 "C:\Windows\SysWOW64\winrvs.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3348
      - C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1180 "C:\Windows\SysWOW64\winrvs.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1168 "C:\Windows\SysWOW64\winrvs.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1184 "C:\Windows\SysWOW64\winrvs.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1196 "C:\Windows\SysWOW64\winrvs.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1204 "C:\Windows\SysWOW64\winrvs.exe"
        10⤵
        Executes dropped EXE
        
        PID:6384
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1200 "C:\Windows\SysWOW64\winrvs.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1208 "C:\Windows\SysWOW64\winrvs.exe"
        12⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1188 "C:\Windows\SysWOW64\winrvs.exe"
        13⤵
        Executes dropped EXE
        
        PID:7032
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1216 "C:\Windows\SysWOW64\winrvs.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1220 "C:\Windows\SysWOW64\winrvs.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1212 "C:\Windows\SysWOW64\winrvs.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1224 "C:\Windows\SysWOW64\winrvs.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1228 "C:\Windows\SysWOW64\winrvs.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:7076
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1232 "C:\Windows\SysWOW64\winrvs.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1240 "C:\Windows\SysWOW64\winrvs.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1236 "C:\Windows\SysWOW64\winrvs.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1244 "C:\Windows\SysWOW64\winrvs.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1248 "C:\Windows\SysWOW64\winrvs.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1260 "C:\Windows\SysWOW64\winrvs.exe"
        24⤵
        Executes dropped EXE
        
        PID:248
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1256 "C:\Windows\SysWOW64\winrvs.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1268 "C:\Windows\SysWOW64\winrvs.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1272 "C:\Windows\SysWOW64\winrvs.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1264 "C:\Windows\SysWOW64\winrvs.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6628
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1280 "C:\Windows\SysWOW64\winrvs.exe"
        29⤵
        Executes dropped EXE
        
        PID:5728
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1276 "C:\Windows\SysWOW64\winrvs.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1284 "C:\Windows\SysWOW64\winrvs.exe"
        31⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1292 "C:\Windows\SysWOW64\winrvs.exe"
        32⤵
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1288 "C:\Windows\SysWOW64\winrvs.exe"
        33⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1144 "C:\Windows\SysWOW64\winrvs.exe"
        34⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1300 "C:\Windows\SysWOW64\winrvs.exe"
        35⤵
        Drops file in System32 directory
        
        PID:656
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1304 "C:\Windows\SysWOW64\winrvs.exe"
        36⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1308 "C:\Windows\SysWOW64\winrvs.exe"
        37⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1136 "C:\Windows\SysWOW64\winrvs.exe"
        38⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1316 "C:\Windows\SysWOW64\winrvs.exe"
        39⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1324 "C:\Windows\SysWOW64\winrvs.exe"
        40⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1328 "C:\Windows\SysWOW64\winrvs.exe"
        41⤵
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1320 "C:\Windows\SysWOW64\winrvs.exe"
        42⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1332 "C:\Windows\SysWOW64\winrvs.exe"
        43⤵
        Drops file in System32 directory
        
        PID:7792
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1336 "C:\Windows\SysWOW64\winrvs.exe"
        44⤵
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1340 "C:\Windows\SysWOW64\winrvs.exe"
        45⤵
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1344 "C:\Windows\SysWOW64\winrvs.exe"
        46⤵
        Drops file in System32 directory
        
        PID:7344
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1056 "C:\Windows\SysWOW64\winrvs.exe"
        47⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1032 "C:\Windows\SysWOW64\winrvs.exe"
        48⤵
        Drops file in System32 directory
        
        PID:856
        
        C:\Windows\SysWOW64\winrvs.exe
        
        C:\Windows\system32\winrvs.exe 1360 "C:\Windows\SysWOW64\winrvs.exe"
        49⤵
        Drops file in System32 directory
        
        PID:6940

C:\Users\Admin\Downloads\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
1⤵
- Executes dropped EXE
PID:4224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1228
  2⤵
  - Program crash
  PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4224 -ip 4224
1⤵
PID:2520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1676
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\program.dev"
  2⤵
  PID:856
- - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    OfficeC2RClient.exe /error PID=856 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
    3⤵
    - Process spawned unexpected child process
    PID:3724

C:\Users\Admin\Downloads\ExeStealth.exe
"C:\Users\Admin\Downloads\ExeStealth.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5568
- C:\Program Files (x86)\ExeStealth\ExeS.exe
  "C:\Program Files (x86)\ExeStealth\ExeS.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument mailto:[email protected]?subject=Free%20Register%20ExeStealth V3.04&body=Free%20Register%20ExeStealth V3.04%0d%0a%0d%0aYour%20Name:%20%0d%0aYour%20Country:%20%0d%0aYour%20Mail:%20
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9777dcc40,0x7ff9777dcc4c,0x7ff9777dcc58
    3⤵
    PID:5516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,8534654844788079191,11054209696032884177,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
    3⤵
    PID:4624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1724,i,8534654844788079191,11054209696032884177,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:3
    3⤵
    PID:4308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,8534654844788079191,11054209696032884177,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1344 /prefetch:8
    3⤵
    PID:6028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,8534654844788079191,11054209696032884177,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
    3⤵
    PID:5916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,8534654844788079191,11054209696032884177,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:1092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,8534654844788079191,11054209696032884177,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4464 /prefetch:1
    3⤵
    PID:6188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3136,i,8534654844788079191,11054209696032884177,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:1
    3⤵
    PID:6332

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4600

C:\Users\Admin\Downloads\Packman.exe
"C:\Users\Admin\Downloads\Packman.exe"
1⤵
- Executes dropped EXE
PID:7040

C:\Users\Admin\Downloads\yP.exe
"C:\Users\Admin\Downloads\yP.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4772 -ip 4772
1⤵
PID:3120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:6676
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\DComExploit.exe.vir"
  2⤵
  PID:6012
- - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    OfficeC2RClient.exe /error PID=6012 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
    3⤵
    - Process spawned unexpected child process
    PID:7048

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5816

C:\Users\Admin\AppData\Roaming\Axam.exe
"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
PID:6776

C:\Users\Admin\AppData\Roaming\Axam.exe
"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
PID:1232

C:\Users\Admin\AppData\Roaming\Axam.exe
"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\Pikachu.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
PID:6208

C:\Users\Admin\AppData\Roaming\Axam.exe
"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\Rahack.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4680 -ip 4680
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4680 -ip 4680
1⤵
PID:8044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7568
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c (1)"
  2⤵
  - Checks processor information in registry
  PID:6368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:6668
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86"
  2⤵
  PID:6284
- - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    OfficeC2RClient.exe /error PID=6284 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
    3⤵
    - Process spawned unexpected child process
    PID:712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6520
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Downloads\103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046"
  2⤵
  - Enumerates connected drives
  PID:976
- - C:\Users\Admin\AppData\Roaming\Axam.exe
    "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:6472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 820
    3⤵
    - Program crash
    PID:7744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:7372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 976 -ip 976
1⤵
PID:7716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6856
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732"
  2⤵
  PID:6364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732
    3⤵
    - Checks processor information in registry
    PID:6344

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\Admin\Downloads\0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732(1)"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:7928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9777dcc40,0x7ff9777dcc4c,0x7ff9777dcc58
    3⤵
    PID:8164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1712,i,3938712458511336162,1877998303628556433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1740 /prefetch:2
    3⤵
    PID:6364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,3938712458511336162,1877998303628556433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
    3⤵
    PID:6344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1672,i,3938712458511336162,1877998303628556433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:8
    3⤵
    PID:488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,3938712458511336162,1877998303628556433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
    3⤵
    PID:7024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,3938712458511336162,1877998303628556433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:7996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4668,i,3938712458511336162,1877998303628556433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
    3⤵
    PID:6548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,3938712458511336162,1877998303628556433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
    3⤵
    PID:7608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,3938712458511336162,1877998303628556433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
    3⤵
    PID:3496

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:7176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:7188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery