Malware Analysis Report

2025-01-22 14:02

Sample ID 240223-2lrr9aaf67
Target Server.exe
SHA256 e6c2602e22933912b73477dac66ed9ac50bf2de7a0254c8ac68d4034b3be7459
Tags
hacked njrat evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6c2602e22933912b73477dac66ed9ac50bf2de7a0254c8ac68d4034b3be7459

Threat Level: Known bad

The file Server.exe was found to be: Known bad.

Malicious Activity Summary

hacked njrat evasion persistence

Njrat family

Modifies Installed Components in the registry

Modifies Windows Firewall

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 22:40

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 22:40

Reported

2024-02-23 23:11

Platform

win7-20240221-en

Max time kernel

1797s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,7601,17514" C:\Windows\system32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP" C:\Windows\system32\unregmp2.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\system32\unregmp2.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe C:\Windows\system32\unregmp2.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\ = "&Add to Windows Media Player list" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF} C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\ = "&Add to Windows Media Player list" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\ShellEx\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\ = "&Add to Windows Media Player list" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\WMPShopMusic\ = "{8A734961-C4AA-4741-AC1E-791ACEBF5B39}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\ = "&Play with Windows Media Player" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867} C:\Windows\system32\unregmp2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 2168 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 2168 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 2168 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 2304 wrote to memory of 2324 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2304 wrote to memory of 2324 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2304 wrote to memory of 2324 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2304 wrote to memory of 2324 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2304 wrote to memory of 2324 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2304 wrote to memory of 2324 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2304 wrote to memory of 2324 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2324 wrote to memory of 3048 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 3048 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 3048 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 3048 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 3048 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 3048 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 3048 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 3048 wrote to memory of 2124 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 3048 wrote to memory of 2124 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 3048 wrote to memory of 2124 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 3048 wrote to memory of 2124 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 2324 wrote to memory of 2232 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 2232 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 2232 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 2232 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 2232 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 2232 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2324 wrote to memory of 2232 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2232 wrote to memory of 1044 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 2232 wrote to memory of 1044 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 2232 wrote to memory of 1044 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 2232 wrote to memory of 1044 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 2324 wrote to memory of 2616 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2324 wrote to memory of 2616 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2324 wrote to memory of 2616 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2324 wrote to memory of 2616 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4b8

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Windows\SysWOW64\unregmp2.exe

C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\system32\unregmp2.exe" /PerformIndivIfNeeded

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /PerformIndivIfNeeded /REENTRANT

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Music\ExportComplete.wm

Network

Country Destination Domain Proto
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 redir.metaservices.microsoft.com udp
GB 88.221.134.89:80 redir.metaservices.microsoft.com tcp
US 8.8.8.8:53 onlinestores.metaservices.microsoft.com udp
GB 88.221.135.114:80 onlinestores.metaservices.microsoft.com tcp
US 8.8.8.8:53 redir.metaservices.microsoft.com udp
GB 88.221.134.112:80 redir.metaservices.microsoft.com tcp
US 8.8.8.8:53 toc.music.metaservices.microsoft.com udp
US 8.8.8.8:53 info.music.metaservices.microsoft.com udp
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp

Files

memory/2168-0-0x0000000074A10000-0x0000000074FBB000-memory.dmp

memory/2168-2-0x0000000074A10000-0x0000000074FBB000-memory.dmp

memory/2168-1-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2168-3-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2168-4-0x0000000074A10000-0x0000000074FBB000-memory.dmp

memory/2168-5-0x0000000000270000-0x00000000002B0000-memory.dmp

C:\Users\Admin\Desktop\RegisterDisable.docx

MD5 8705248c19e5ee1b32ebcf606966d8c9
SHA1 9dd1731ce1ce803e386d16f3fc513eb0e82b039f
SHA256 f87506719ad503481550ee959385eeb58645f65ca4e896406709c2bfab5747fc
SHA512 10661e2e64e555e655f387e87374569c636acf2b10692194d6fcdf1bebbab459e5c9297ae965abe409d814746beb62a338fe56b6e2f9d01495f8a2884e7ba75d

C:\Users\Admin\AppData\Local\Temp\tmp44354.WMC\allservices.xml

MD5 df03e65b8e082f24dab09c57bc9c6241
SHA1 6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256 155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512 ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

C:\Users\Admin\AppData\Local\Temp\tmp46273.WMC\serviceinfo.xml

MD5 d58da90d6dc51f97cb84dfbffe2b2300
SHA1 5f86b06b992a3146cb698a99932ead57a5ec4666
SHA256 93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad
SHA512 7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 9886576e66b81b25fd681b343d4fcada
SHA1 e521b1d0564401d3674ceeab52e047a3d3be5ac4
SHA256 d336097245b946c264031533e8fdb6c45da641b0ecea9107d119a87de9cc4b53
SHA512 2d8355732f883b4b76c14ba53cce8224c76c2431c101ab948b812658eee2125cbe11dfce8ac0ba259b46ec2bfdf565903eecf79b8fe1abcfeb36d2d8854c6041

memory/1044-22-0x000007FEF4FE0000-0x000007FEF50A2000-memory.dmp

memory/2616-31-0x0000000000160000-0x0000000000161000-memory.dmp

memory/1044-30-0x000007FEF40A0000-0x000007FEF41C8000-memory.dmp

memory/1044-32-0x000007FEF4F00000-0x000007FEF4FD1000-memory.dmp

memory/1044-38-0x000007FEF4FE0000-0x000007FEF50A2000-memory.dmp

memory/1044-39-0x000007FEF4F00000-0x000007FEF4FD1000-memory.dmp

memory/1044-40-0x000007FEF40A0000-0x000007FEF41C8000-memory.dmp

memory/2616-44-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

memory/2616-49-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

memory/2616-48-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

memory/2616-47-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

memory/2616-46-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

memory/2616-45-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

memory/2616-50-0x000000006EB20000-0x000000006EC11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb

MD5 d01ce8738231e9ff5b39d030c9820cc3
SHA1 07a875a9686dbe5d69f5ee94574a1d4e8d520db7
SHA256 6f316c04071312a56b8dae79b25a47d31ae88821a18f20401bdb78e0eff4dc1d
SHA512 c07ae2e67e42926119ccab6ddac5de508805769c3afe813d69c5eb5d46a6c1d3ce5cc46d6e75b5f770d35e57416018b62480723fb7f08b7f7ca28a139b987076

memory/2616-52-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2616-53-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{D81C8585-B0F0-44BE-B1D1-40FE443E10DB}.jpg

MD5 fd5fd28e41676618aac733b243ad54db
SHA1 b2d69ad6a2e22c30ef1806ac4f990790c3b44763
SHA256 a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431
SHA512 4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

memory/2616-90-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

memory/2616-91-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

memory/2616-92-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

memory/2616-93-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

memory/2616-94-0x000000006EB20000-0x000000006EC11000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 22:40

Reported

2024-02-23 23:24

Platform

win10v2004-20240221-en

Max time kernel

1799s

Max time network

1802s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 1732 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 1732 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 8.8.8.8:53 nature-dawn.gl.at.ply.gg udp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp
US 147.185.221.18:3639 nature-dawn.gl.at.ply.gg tcp

Files

memory/1732-0-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/1732-1-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/1732-2-0x0000000000B30000-0x0000000000B40000-memory.dmp

memory/1732-3-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/1732-4-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/1732-5-0x0000000000B30000-0x0000000000B40000-memory.dmp