njrat | 7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe
Size

93KB
MD5

5323e11bd0c264bf43a4215ba33ce990
SHA1

ba44aa845163c4e7d8a41460dc704dfb6b014fe7
SHA256

7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35
SHA512

673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918
SSDEEP

768:8Y34QdyZnDQMMpAZrGSt6udttXyosahkGJiXxrjEtCdnl2pi1Rz4Rk3VsGdpugS7:UQYZD3rGWNd7dhkhjEwzGi1dDFDugS

Score

10^/10

njrat hackedbymalware evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKedByMalware

hakim32.ddns.net:2000

0�#r��-`.1:9386

Mutex

6e260ec5ede46d01445436ce38e3055a

Attributes

reg_key
6e260ec5ede46d01445436ce38e3055a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 64 IoCs

evasion

Windows Service

T1543.003

pid	Process
2600	netsh.exe
2792	netsh.exe
2592	netsh.exe
1940	netsh.exe
2156	netsh.exe
2640	netsh.exe
1088	netsh.exe
2568	netsh.exe
1888	netsh.exe
852	netsh.exe
2900	netsh.exe
1140	netsh.exe
1508	netsh.exe
1860	netsh.exe
692	netsh.exe
2180	netsh.exe
1744	netsh.exe
1532	netsh.exe
524	netsh.exe
2676	netsh.exe
2648	netsh.exe
2224	netsh.exe
1660	netsh.exe
2980	netsh.exe
2592	netsh.exe
2792	netsh.exe
2740	netsh.exe
2148	netsh.exe
1704	netsh.exe
764	netsh.exe
2696	netsh.exe
2800	netsh.exe
1936	netsh.exe
2660	netsh.exe
564	netsh.exe
1416	netsh.exe
2828	netsh.exe
2280	netsh.exe
1528	netsh.exe
3036	netsh.exe
1048	netsh.exe
1512	netsh.exe
2848	netsh.exe
640	netsh.exe
1624	netsh.exe
1532	netsh.exe
2592	netsh.exe
1860	netsh.exe
2308	netsh.exe
2968	netsh.exe
2916	netsh.exe
2608	netsh.exe
2788	netsh.exe
2144	netsh.exe
1208	netsh.exe
1792	netsh.exe
2684	netsh.exe
764	netsh.exe
2844	netsh.exe
972	netsh.exe
1952	netsh.exe
2536	netsh.exe
2948	netsh.exe
2604	netsh.exe

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 64 IoCs

pid	Process
2920	server.exe
2612	svchost.exe
2596	server.exe
516	svchost.exe
2336	server.exe
832	svchost.exe
2412	server.exe
1740	svchost.exe
1924	server.exe
2864	svchost.exe
692	server.exe
1368	svchost.exe
2852	server.exe
1160	svchost.exe
860	server.exe
3048	svchost.exe
2108	server.exe
2936	svchost.exe
2904	server.exe
2868	svchost.exe
776	server.exe
1416	svchost.exe
1792	server.exe
2836	svchost.exe
2180	server.exe
2740	svchost.exe
2620	server.exe
1320	svchost.exe
2848	server.exe
2952	svchost.exe
864	server.exe
2156	svchost.exe
2928	server.exe
2768	svchost.exe
2508	server.exe
2744	svchost.exe
3016	server.exe
1652	svchost.exe
1404	server.exe
924	svchost.exe
2488	server.exe
1852	svchost.exe
2672	server.exe
1648	svchost.exe
268	server.exe
2024	svchost.exe
3016	server.exe
1896	svchost.exe
2384	server.exe
2208	svchost.exe
2580	server.exe
2788	svchost.exe
1448	server.exe
628	svchost.exe
1520	server.exe
2808	svchost.exe
2360	server.exe
2132	svchost.exe
2704	server.exe
872	svchost.exe
2820	server.exe
2628	svchost.exe
2864	server.exe
2024	svchost.exe

Loads dropped DLL 64 IoCs

pid	Process
2200	NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe
2200	NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe
2920	server.exe
2920	server.exe
2612	svchost.exe
2612	svchost.exe
2596	server.exe
2596	server.exe
516	svchost.exe
516	svchost.exe
2336	server.exe
2336	server.exe
832	svchost.exe
832	svchost.exe
2412	server.exe
2412	server.exe
1740	svchost.exe
1740	svchost.exe
1924	server.exe
1924	server.exe
2864	svchost.exe
2864	svchost.exe
692	server.exe
692	server.exe
1368	svchost.exe
1368	svchost.exe
2852	server.exe
2852	server.exe
1160	svchost.exe
1160	svchost.exe
860	server.exe
860	server.exe
3048	svchost.exe
3048	svchost.exe
2108	server.exe
2108	server.exe
2936	svchost.exe
2936	svchost.exe
2904	server.exe
2904	server.exe
2868	svchost.exe
2868	svchost.exe
776	server.exe
776	server.exe
1416	svchost.exe
1416	svchost.exe
1792	server.exe
1792	server.exe
2836	svchost.exe
2836	svchost.exe
2180	server.exe
2180	server.exe
2740	svchost.exe
2740	svchost.exe
2620	server.exe
2620	server.exe
1320	svchost.exe
1320	svchost.exe
2848	server.exe
2848	server.exe
2952	svchost.exe
2952	svchost.exe
864	server.exe
864	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2920	2200	NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe	28
PID 2200 wrote to memory of 2920	2200	NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe	28
PID 2200 wrote to memory of 2920	2200	NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe	28
PID 2200 wrote to memory of 2920	2200	NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe	28
PID 2920 wrote to memory of 1528	2920	server.exe	29
PID 2920 wrote to memory of 1528	2920	server.exe	29
PID 2920 wrote to memory of 1528	2920	server.exe	29
PID 2920 wrote to memory of 1528	2920	server.exe	29
PID 2920 wrote to memory of 2592	2920	server.exe	34
PID 2920 wrote to memory of 2592	2920	server.exe	34
PID 2920 wrote to memory of 2592	2920	server.exe	34
PID 2920 wrote to memory of 2592	2920	server.exe	34
PID 2920 wrote to memory of 2584	2920	server.exe	32
PID 2920 wrote to memory of 2584	2920	server.exe	32
PID 2920 wrote to memory of 2584	2920	server.exe	32
PID 2920 wrote to memory of 2584	2920	server.exe	32
PID 2920 wrote to memory of 2612	2920	server.exe	35
PID 2920 wrote to memory of 2612	2920	server.exe	35
PID 2920 wrote to memory of 2612	2920	server.exe	35
PID 2920 wrote to memory of 2612	2920	server.exe	35
PID 2612 wrote to memory of 2596	2612	svchost.exe	36
PID 2612 wrote to memory of 2596	2612	svchost.exe	36
PID 2612 wrote to memory of 2596	2612	svchost.exe	36
PID 2612 wrote to memory of 2596	2612	svchost.exe	36
PID 2596 wrote to memory of 2148	2596	server.exe	37
PID 2596 wrote to memory of 2148	2596	server.exe	37
PID 2596 wrote to memory of 2148	2596	server.exe	37
PID 2596 wrote to memory of 2148	2596	server.exe	37
PID 2596 wrote to memory of 1956	2596	server.exe	39
PID 2596 wrote to memory of 1956	2596	server.exe	39
PID 2596 wrote to memory of 1956	2596	server.exe	39
PID 2596 wrote to memory of 1956	2596	server.exe	39
PID 2596 wrote to memory of 1704	2596	server.exe	42
PID 2596 wrote to memory of 1704	2596	server.exe	42
PID 2596 wrote to memory of 1704	2596	server.exe	42
PID 2596 wrote to memory of 1704	2596	server.exe	42
PID 2596 wrote to memory of 516	2596	server.exe	43
PID 2596 wrote to memory of 516	2596	server.exe	43
PID 2596 wrote to memory of 516	2596	server.exe	43
PID 2596 wrote to memory of 516	2596	server.exe	43
PID 516 wrote to memory of 2336	516	svchost.exe	44
PID 516 wrote to memory of 2336	516	svchost.exe	44
PID 516 wrote to memory of 2336	516	svchost.exe	44
PID 516 wrote to memory of 2336	516	svchost.exe	44
PID 2336 wrote to memory of 2948	2336	server.exe	45
PID 2336 wrote to memory of 2948	2336	server.exe	45
PID 2336 wrote to memory of 2948	2336	server.exe	45
PID 2336 wrote to memory of 2948	2336	server.exe	45
PID 2336 wrote to memory of 1048	2336	server.exe	47
PID 2336 wrote to memory of 1048	2336	server.exe	47
PID 2336 wrote to memory of 1048	2336	server.exe	47
PID 2336 wrote to memory of 1048	2336	server.exe	47
PID 2336 wrote to memory of 2376	2336	server.exe	48
PID 2336 wrote to memory of 2376	2336	server.exe	48
PID 2336 wrote to memory of 2376	2336	server.exe	48
PID 2336 wrote to memory of 2376	2336	server.exe	48
PID 2336 wrote to memory of 832	2336	server.exe	51
PID 2336 wrote to memory of 832	2336	server.exe	51
PID 2336 wrote to memory of 832	2336	server.exe	51
PID 2336 wrote to memory of 832	2336	server.exe	51
PID 832 wrote to memory of 2412	832	svchost.exe	52
PID 832 wrote to memory of 2412	832	svchost.exe	52
PID 832 wrote to memory of 2412	832	svchost.exe	52
PID 832 wrote to memory of 2412	832	svchost.exe	52

C:\Users\Admin\AppData\Local\Temp\NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200
- C:\ProgramData\server.exe
  "C:\ProgramData\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2592
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\ProgramData\server.exe
      "C:\ProgramData\server.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:2148
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        5⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:1704
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:516
      - C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:2948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        7⤵
        Modifies Windows Firewall
        
        PID:1048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        7⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        9⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        9⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        9⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1740
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        10⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1924
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        11⤵
        Modifies Windows Firewall
        
        PID:2568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        11⤵
        Modifies Windows Firewall
        
        PID:1528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        11⤵
        Modifies Windows Firewall
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2864
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        13⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        13⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        13⤵
        Modifies Windows Firewall
        
        PID:524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1368
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        14⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2852
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        15⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        15⤵
        Modifies Windows Firewall
        
        PID:1792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        15⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1160
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        16⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        17⤵
        
        PID:304
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        
        PID:972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        17⤵
        Modifies Windows Firewall
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3048
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        18⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2108
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        19⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        19⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2936
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        20⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        21⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        21⤵
        Modifies Windows Firewall
        
        PID:1512
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2868
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        22⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        23⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        23⤵
        Modifies Windows Firewall
        
        PID:1888
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        23⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1416
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        24⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        25⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2836
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        26⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2180
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        27⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        27⤵
        Modifies Windows Firewall
        
        PID:2792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        27⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2740
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        28⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        29⤵
        Modifies Windows Firewall
        
        PID:2592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        29⤵
        
        PID:576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        29⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1320
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        30⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        31⤵
        Modifies Windows Firewall
        
        PID:564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        31⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        31⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2952
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        32⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        33⤵
        Modifies Windows Firewall
        
        PID:640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        33⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        33⤵
        Modifies Windows Firewall
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        33⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        34⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        35⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        35⤵
        Modifies Windows Firewall
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        35⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        36⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        37⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        37⤵
        Modifies Windows Firewall
        
        PID:2608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        37⤵
        Modifies Windows Firewall
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        37⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        38⤵
        Drops startup file
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        39⤵
        
        PID:692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        39⤵
        Modifies Windows Firewall
        
        PID:1940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        39⤵
        Modifies Windows Firewall
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        39⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        40⤵
        Drops startup file
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        41⤵
        Modifies Windows Firewall
        
        PID:2308
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        41⤵
        Modifies Windows Firewall
        
        PID:1744
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        41⤵
        Modifies Windows Firewall
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        41⤵
        Executes dropped EXE
        
        PID:924
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        42⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        43⤵
        Modifies Windows Firewall
        
        PID:2224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        43⤵
        Modifies Windows Firewall
        
        PID:2156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        43⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        43⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        44⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        45⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        45⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        45⤵
        Modifies Windows Firewall
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        45⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        46⤵
        Drops startup file
        Executes dropped EXE
        
        PID:268
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        47⤵
        Modifies Windows Firewall
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        47⤵
        Modifies Windows Firewall
        
        PID:2592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        47⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        47⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        48⤵
        Drops startup file
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        49⤵
        Modifies Windows Firewall
        
        PID:2900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        49⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        49⤵
        Modifies Windows Firewall
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        49⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        50⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        51⤵
        Modifies Windows Firewall
        
        PID:1416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        51⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        51⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        51⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        52⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        53⤵
        Modifies Windows Firewall
        
        PID:2916
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        53⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        53⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        53⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        54⤵
        Drops startup file
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        55⤵
        Modifies Windows Firewall
        
        PID:2696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        55⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        55⤵
        Modifies Windows Firewall
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        55⤵
        Executes dropped EXE
        
        PID:628
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        56⤵
        Drops startup file
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        57⤵
        Modifies Windows Firewall
        
        PID:2800
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        57⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        57⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        57⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        58⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        59⤵
        Modifies Windows Firewall
        
        PID:2640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        59⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        59⤵
        Modifies Windows Firewall
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        59⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        60⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        61⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        61⤵
        
        PID:320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        61⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        61⤵
        Executes dropped EXE
        
        PID:872
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        62⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        63⤵
        Modifies Windows Firewall
        
        PID:2684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        63⤵
        Modifies Windows Firewall
        
        PID:2788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        63⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        63⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        64⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        65⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        65⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        65⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        65⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        66⤵
        Drops startup file
        
        PID:2504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        67⤵
        Modifies Windows Firewall
        
        PID:3036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        67⤵
        Modifies Windows Firewall
        
        PID:1952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        67⤵
        Modifies Windows Firewall
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        67⤵
        
        PID:1884
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        68⤵
        Drops startup file
        
        PID:1620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        69⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        69⤵
        
        PID:976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        69⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        69⤵
        
        PID:2036
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        70⤵
        Drops startup file
        
        PID:2728
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        71⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        71⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        71⤵
        Modifies Windows Firewall
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        71⤵
        
        PID:2664
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        72⤵
        Drops startup file
        
        PID:2820
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        73⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        73⤵
        Modifies Windows Firewall
        
        PID:1624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        73⤵
        Modifies Windows Firewall
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        73⤵
        
        PID:828
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        74⤵
        Drops startup file
        
        PID:3028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        75⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        75⤵
        
        PID:876
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        75⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        75⤵
        
        PID:1456
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        76⤵
        Drops startup file
        
        PID:2504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        77⤵
        Modifies Windows Firewall
        
        PID:1088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        77⤵
        Modifies Windows Firewall
        
        PID:1532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        77⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        77⤵
        
        PID:2384
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        78⤵
        Drops startup file
        
        PID:1896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        79⤵
        Modifies Windows Firewall
        
        PID:2144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        79⤵
        Modifies Windows Firewall
        
        PID:2740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        79⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        79⤵
        
        PID:1440
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        80⤵
        Drops startup file
        
        PID:1964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        81⤵
        Modifies Windows Firewall
        
        PID:2536
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        81⤵
        Modifies Windows Firewall
        
        PID:2844
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        81⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        81⤵
        
        PID:2236
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        82⤵
        Drops startup file
        
        PID:1272
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        83⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        83⤵
        
        PID:564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        83⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        83⤵
        
        PID:812
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        84⤵
        Drops startup file
        
        PID:1724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        85⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        85⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        85⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        85⤵
        
        PID:1404
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        86⤵
        Drops startup file
        
        PID:2892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        87⤵
        
        PID:556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        87⤵
        Modifies Windows Firewall
        
        PID:1936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        87⤵
        Modifies Windows Firewall
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        87⤵
        
        PID:2488
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        88⤵
        Drops startup file
        
        PID:2144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        89⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        89⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        89⤵
        Modifies Windows Firewall
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        89⤵
        
        PID:2616
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        90⤵
        Drops startup file
        
        PID:2068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        91⤵
        Modifies Windows Firewall
        
        PID:1208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        91⤵
        Modifies Windows Firewall
        
        PID:2660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        91⤵
        Modifies Windows Firewall
        
        PID:692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        91⤵
        
        PID:1552
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        92⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        93⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        93⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        93⤵
        
        PID:1976
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        94⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        93⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        35⤵
        Modifies Windows Firewall
        
        PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
memory/516-77-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/516-78-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/516-76-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/516-91-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/692-225-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/692-211-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/692-210-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/692-209-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/832-131-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/832-118-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/832-116-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/832-117-0x00000000006D0000-0x0000000000710000-memory.dmp

Filesize
256KB

Download
memory/860-263-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/860-264-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/860-265-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/860-278-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-252-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-253-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1160-254-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-262-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1368-227-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1368-224-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/1368-226-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1368-235-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-171-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-157-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-156-0x0000000000C90000-0x0000000000CD0000-memory.dmp

Filesize
256KB

Download
memory/1740-155-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-172-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download
memory/1924-170-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-173-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-194-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2200-1-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2200-0-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2200-2-0x0000000000D00000-0x0000000000D40000-memory.dmp

Filesize
256KB

Download
memory/2200-16-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-93-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download
memory/2336-115-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-92-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-94-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-132-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-133-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-154-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-52-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/2596-51-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-75-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-54-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-38-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-36-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-37-0x0000000000B30000-0x0000000000B70000-memory.dmp

Filesize
256KB

Download
memory/2612-53-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-251-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-237-0x0000000000E50000-0x0000000000E90000-memory.dmp

Filesize
256KB

Download
memory/2852-238-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-236-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-208-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-197-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-196-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2864-195-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-14-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-35-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-17-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-15-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/3048-279-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads