Analysis
-
max time kernel
130s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 04:20
Static task
static1
Behavioral task
behavioral1
Sample
fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe
-
Size
677KB
-
MD5
fbea1348950ebaa7d90f9d51dd0a7a9c
-
SHA1
9b37e6de95224163cc1378d2be066e1189fbe387
-
SHA256
b3980e29888786493c8cad1243df744f4edf730e911d6a8725df1ab73d0a3d0f
-
SHA512
ecf7f1fb093bd9b768e329b1a918484be751fb995fce22fb3fa9deeb21a08080020bd607415f1aaec5fa3087a11202c1479508dc0fa574a2a558df72d6a4d60b
-
SSDEEP
12288:55VfzdeGreeF09DPa5b9h7ukziWy9EUKFTZdXTZdHXTZdXTZdVfzdeGreeF09DP0:5bdm2x9ESiWy9EFFTZdXTZdHXTZdXTZ5
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
62.227.124.106:5552
b65a1c967a241651fee52d79e3eaa41f
-
reg_key
b65a1c967a241651fee52d79e3eaa41f
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 64 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 2080 netsh.exe 1128 netsh.exe 2264 netsh.exe 288 netsh.exe 2704 netsh.exe 2880 netsh.exe 3008 netsh.exe 1764 netsh.exe 2672 netsh.exe 2480 netsh.exe 2120 netsh.exe 1612 netsh.exe 2816 netsh.exe 2820 netsh.exe 628 netsh.exe 2612 netsh.exe 2332 netsh.exe 3024 netsh.exe 2760 netsh.exe 1964 netsh.exe 1292 netsh.exe 1964 netsh.exe 1840 netsh.exe 2352 netsh.exe 1588 netsh.exe 876 netsh.exe 2356 netsh.exe 2056 netsh.exe 2356 netsh.exe 2052 netsh.exe 1872 netsh.exe 2936 netsh.exe 2844 netsh.exe 2796 netsh.exe 584 netsh.exe 2240 netsh.exe 808 netsh.exe 1976 netsh.exe 2012 netsh.exe 2440 netsh.exe 2532 netsh.exe 824 netsh.exe 1056 netsh.exe 796 netsh.exe 292 netsh.exe 1096 netsh.exe 2596 netsh.exe 2624 netsh.exe 1616 netsh.exe 2472 netsh.exe 560 netsh.exe 2956 netsh.exe 2612 netsh.exe 628 netsh.exe 1656 netsh.exe 772 netsh.exe 2772 netsh.exe 1748 netsh.exe 1952 netsh.exe 2084 netsh.exe 3056 netsh.exe 2512 netsh.exe 996 netsh.exe 2832 netsh.exe -
Drops startup file 64 IoCs
Processes:
server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe server.exe -
Executes dropped EXE 64 IoCs
Processes:
test.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeWservices.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exepid process 2756 test.exe 2732 server.exe 3064 svchost.exe 2268 server.exe 1164 svchost.exe 1232 server.exe 2576 svchost.exe 1952 server.exe 376 svchost.exe 2796 server.exe 1736 svchost.exe 2340 server.exe 2660 svchost.exe 2972 server.exe 828 svchost.exe 3064 server.exe 2412 svchost.exe 1160 server.exe 2572 svchost.exe 2204 server.exe 2336 svchost.exe 2264 server.exe 720 svchost.exe 2280 server.exe 2996 svchost.exe 764 server.exe 2604 svchost.exe 2368 server.exe 608 svchost.exe 1100 server.exe 1808 svchost.exe 1304 server.exe 764 svchost.exe 1872 server.exe 2544 svchost.exe 1316 server.exe 2300 svchost.exe 2056 server.exe 1956 svchost.exe 2452 server.exe 2268 svchost.exe 2088 server.exe 1160 svchost.exe 1696 server.exe 572 svchost.exe 1628 Wservices.exe 2716 server.exe 2952 svchost.exe 1864 server.exe 2076 svchost.exe 2372 server.exe 1580 svchost.exe 2476 server.exe 808 svchost.exe 2916 server.exe 2416 svchost.exe 1272 server.exe 1584 svchost.exe 2776 server.exe 1528 svchost.exe 2656 server.exe 1448 svchost.exe 1736 server.exe 2936 svchost.exe -
Loads dropped DLL 64 IoCs
Processes:
fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exetest.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exepid process 2868 fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe 2868 fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe 2756 test.exe 2756 test.exe 2732 server.exe 2732 server.exe 3064 svchost.exe 3064 svchost.exe 2268 server.exe 2268 server.exe 1164 svchost.exe 1164 svchost.exe 1232 server.exe 1232 server.exe 2576 svchost.exe 2576 svchost.exe 1952 server.exe 1952 server.exe 376 svchost.exe 376 svchost.exe 2796 server.exe 2796 server.exe 1736 svchost.exe 1736 svchost.exe 2340 server.exe 2340 server.exe 2660 svchost.exe 2660 svchost.exe 2972 server.exe 2972 server.exe 828 svchost.exe 828 svchost.exe 3064 server.exe 3064 server.exe 2412 svchost.exe 2412 svchost.exe 1160 server.exe 1160 server.exe 2572 svchost.exe 2572 svchost.exe 2204 server.exe 2204 server.exe 2336 svchost.exe 2336 svchost.exe 2264 server.exe 2264 server.exe 720 svchost.exe 720 svchost.exe 2280 server.exe 2280 server.exe 2996 svchost.exe 2996 svchost.exe 764 server.exe 764 server.exe 2604 svchost.exe 2604 svchost.exe 2368 server.exe 2368 server.exe 608 svchost.exe 608 svchost.exe 1100 server.exe 1100 server.exe 1808 svchost.exe 1808 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wservices.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Wservices.exe" fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
server.exedescription ioc process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe -
Drops file in System32 directory 40 IoCs
Processes:
server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Wservices.exedescription pid process target process PID 1628 set thread context of 2624 1628 Wservices.exe Wservices.exe -
Drops file in Program Files directory 40 IoCs
Processes:
server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exedescription ioc process File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe 2732 server.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exedescription pid process Token: SeDebugPrivilege 2732 server.exe Token: SeDebugPrivilege 2268 server.exe Token: SeDebugPrivilege 1232 server.exe Token: SeDebugPrivilege 1952 server.exe Token: SeDebugPrivilege 2796 server.exe Token: SeDebugPrivilege 2340 server.exe Token: SeDebugPrivilege 2972 server.exe Token: SeDebugPrivilege 3064 server.exe Token: SeDebugPrivilege 1160 server.exe Token: SeDebugPrivilege 2204 server.exe Token: SeDebugPrivilege 2264 server.exe Token: SeDebugPrivilege 2280 server.exe Token: SeDebugPrivilege 764 server.exe Token: SeDebugPrivilege 2368 server.exe Token: SeDebugPrivilege 1100 server.exe Token: SeDebugPrivilege 1304 server.exe Token: SeDebugPrivilege 1872 server.exe Token: SeDebugPrivilege 1316 server.exe Token: SeDebugPrivilege 2056 server.exe Token: SeDebugPrivilege 2452 server.exe Token: SeDebugPrivilege 2088 server.exe Token: SeDebugPrivilege 1696 server.exe Token: SeDebugPrivilege 2716 server.exe Token: SeDebugPrivilege 1864 server.exe Token: SeDebugPrivilege 2372 server.exe Token: SeDebugPrivilege 2476 server.exe Token: SeDebugPrivilege 2916 server.exe Token: SeDebugPrivilege 1272 server.exe Token: SeDebugPrivilege 2776 server.exe Token: SeDebugPrivilege 2656 server.exe Token: SeDebugPrivilege 1736 server.exe Token: SeDebugPrivilege 2772 server.exe Token: SeDebugPrivilege 1544 server.exe Token: SeDebugPrivilege 1664 server.exe Token: SeDebugPrivilege 2816 server.exe Token: SeDebugPrivilege 2332 server.exe Token: SeDebugPrivilege 2124 server.exe Token: SeDebugPrivilege 2720 server.exe Token: SeDebugPrivilege 2768 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exetest.exeserver.exesvchost.exeserver.exesvchost.exeserver.exedescription pid process target process PID 2868 wrote to memory of 2756 2868 fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe test.exe PID 2868 wrote to memory of 2756 2868 fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe test.exe PID 2868 wrote to memory of 2756 2868 fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe test.exe PID 2868 wrote to memory of 2756 2868 fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe test.exe PID 2756 wrote to memory of 2732 2756 test.exe server.exe PID 2756 wrote to memory of 2732 2756 test.exe server.exe PID 2756 wrote to memory of 2732 2756 test.exe server.exe PID 2756 wrote to memory of 2732 2756 test.exe server.exe PID 2732 wrote to memory of 2612 2732 server.exe netsh.exe PID 2732 wrote to memory of 2612 2732 server.exe netsh.exe PID 2732 wrote to memory of 2612 2732 server.exe netsh.exe PID 2732 wrote to memory of 2612 2732 server.exe netsh.exe PID 2732 wrote to memory of 2532 2732 server.exe netsh.exe PID 2732 wrote to memory of 2532 2732 server.exe netsh.exe PID 2732 wrote to memory of 2532 2732 server.exe netsh.exe PID 2732 wrote to memory of 2532 2732 server.exe netsh.exe PID 2732 wrote to memory of 2772 2732 server.exe netsh.exe PID 2732 wrote to memory of 2772 2732 server.exe netsh.exe PID 2732 wrote to memory of 2772 2732 server.exe netsh.exe PID 2732 wrote to memory of 2772 2732 server.exe netsh.exe PID 2732 wrote to memory of 3064 2732 server.exe svchost.exe PID 2732 wrote to memory of 3064 2732 server.exe svchost.exe PID 2732 wrote to memory of 3064 2732 server.exe svchost.exe PID 2732 wrote to memory of 3064 2732 server.exe svchost.exe PID 3064 wrote to memory of 2268 3064 svchost.exe server.exe PID 3064 wrote to memory of 2268 3064 svchost.exe server.exe PID 3064 wrote to memory of 2268 3064 svchost.exe server.exe PID 3064 wrote to memory of 2268 3064 svchost.exe server.exe PID 2268 wrote to memory of 876 2268 server.exe netsh.exe PID 2268 wrote to memory of 876 2268 server.exe netsh.exe PID 2268 wrote to memory of 876 2268 server.exe netsh.exe PID 2268 wrote to memory of 876 2268 server.exe netsh.exe PID 2268 wrote to memory of 584 2268 server.exe netsh.exe PID 2268 wrote to memory of 584 2268 server.exe netsh.exe PID 2268 wrote to memory of 584 2268 server.exe netsh.exe PID 2268 wrote to memory of 584 2268 server.exe netsh.exe PID 2268 wrote to memory of 824 2268 server.exe netsh.exe PID 2268 wrote to memory of 824 2268 server.exe netsh.exe PID 2268 wrote to memory of 824 2268 server.exe netsh.exe PID 2268 wrote to memory of 824 2268 server.exe netsh.exe PID 2268 wrote to memory of 1164 2268 server.exe svchost.exe PID 2268 wrote to memory of 1164 2268 server.exe svchost.exe PID 2268 wrote to memory of 1164 2268 server.exe svchost.exe PID 2268 wrote to memory of 1164 2268 server.exe svchost.exe PID 1164 wrote to memory of 1232 1164 svchost.exe server.exe PID 1164 wrote to memory of 1232 1164 svchost.exe server.exe PID 1164 wrote to memory of 1232 1164 svchost.exe server.exe PID 1164 wrote to memory of 1232 1164 svchost.exe server.exe PID 1232 wrote to memory of 2240 1232 server.exe netsh.exe PID 1232 wrote to memory of 2240 1232 server.exe netsh.exe PID 1232 wrote to memory of 2240 1232 server.exe netsh.exe PID 1232 wrote to memory of 2240 1232 server.exe netsh.exe PID 1232 wrote to memory of 2536 1232 server.exe netsh.exe PID 1232 wrote to memory of 2536 1232 server.exe netsh.exe PID 1232 wrote to memory of 2536 1232 server.exe netsh.exe PID 1232 wrote to memory of 2536 1232 server.exe netsh.exe PID 1232 wrote to memory of 2052 1232 server.exe netsh.exe PID 1232 wrote to memory of 2052 1232 server.exe netsh.exe PID 1232 wrote to memory of 2052 1232 server.exe netsh.exe PID 1232 wrote to memory of 2052 1232 server.exe netsh.exe PID 1232 wrote to memory of 2576 1232 server.exe svchost.exe PID 1232 wrote to memory of 2576 1232 server.exe svchost.exe PID 1232 wrote to memory of 2576 1232 server.exe svchost.exe PID 1232 wrote to memory of 2576 1232 server.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE6⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"7⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE8⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"8⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE8⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"9⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE10⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"10⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE10⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"11⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE12⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"12⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE12⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"13⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE14⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"14⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE14⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE16⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"16⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE16⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"17⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE18⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"18⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE18⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE20⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"20⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE20⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"21⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE22⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"22⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE22⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"23⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE24⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"24⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE24⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"25⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE26⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"26⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE26⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"27⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE28⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"28⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE28⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"29⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE30⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"30⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE30⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"31⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE32⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"32⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE32⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"33⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE34⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"34⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE34⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"34⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"35⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE36⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"36⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE36⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"36⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"37⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE38⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"38⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE38⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"38⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"39⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE40⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"40⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE40⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"40⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"41⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE42⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"42⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE42⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"42⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"43⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE44⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"44⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE44⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"44⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"45⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE46⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"46⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE46⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"46⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"47⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE48⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"48⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE48⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"48⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"49⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE50⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"50⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE50⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"50⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"51⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE52⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"52⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE52⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"52⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"53⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE54⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"54⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE54⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"54⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"55⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE56⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"56⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE56⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"56⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"57⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE58⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"58⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE58⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"58⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"59⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE60⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"60⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE60⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"60⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"61⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE62⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"62⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE62⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"62⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"63⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE64⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"64⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE64⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"64⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"65⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE66⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"66⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE66⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"66⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"67⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE68⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"68⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE68⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"68⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"69⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE70⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"70⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE70⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"70⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"71⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE72⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"72⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE72⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"72⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"73⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE74⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"74⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE74⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"74⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"75⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE76⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"76⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE76⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"76⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"77⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE78⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"78⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE78⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"78⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"79⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE80⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"80⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE80⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"80⤵
-
C:\Users\Admin\AppData\Roaming\Wservices.exe"C:\Users\Admin\AppData\Roaming\Wservices.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Wservices.exe"C:\Users\Admin\AppData\Roaming\Wservices.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\melt.txtFilesize
44B
MD5298802dff6aa26d4fb941c7ccf5c0849
SHA111e518ca3409f1863ebc2d3f1be9fb701bad52c0
SHA256df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d
SHA5120301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD553ce6d1ae8885b5d12e654469f456c83
SHA19d8b30c523ddef4d24134072b27716bec7d94d6f
SHA256d7ebf92ad6e3bc44fbc3cfbb234ef4afafd7ea339f712229641a2849b6f87ce2
SHA512c15df9281e9ccbb8d30e24e751b77a030e734f8cda4bd9482d3ca02f6b23e463a8e90ddd78a582ca059e57b8d0492c22583d792bc7368094ffc06e12cd145d9d
-
\Users\Admin\AppData\Local\Temp\test.exeFilesize
93KB
MD55b5cecffd6d09aa17c582173815afd50
SHA120bfb5c4e4edf0900148ea309f9daf56301a8ddc
SHA256ee19384a3d3599ab5f20eba3becd707dba301a94e383daf1248c08b4709aa230
SHA512fe61e23dcd2acf8da0b25d206425ac5a3eab503726056605ca66a46b8ab933cd2741f7bf8353049c807284b7a146c53f27fdd78b52485573e3ef8c7f96e3d5bf
-
memory/376-285-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/376-276-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/376-275-0x00000000001B0000-0x00000000001F0000-memory.dmpFilesize
256KB
-
memory/376-274-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/828-428-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/828-420-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/828-419-0x00000000005C0000-0x0000000000600000-memory.dmpFilesize
256KB
-
memory/828-418-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1164-152-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1164-153-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1164-166-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1232-224-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1232-169-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1232-168-0x0000000001FA0000-0x0000000001FE0000-memory.dmpFilesize
256KB
-
memory/1232-167-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1736-332-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1736-324-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1736-322-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1736-323-0x0000000002130000-0x0000000002170000-memory.dmpFilesize
256KB
-
memory/1952-238-0x00000000020B0000-0x00000000020F0000-memory.dmpFilesize
256KB
-
memory/1952-239-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1952-237-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/1952-273-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2268-97-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2268-96-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2268-151-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2340-333-0x0000000001D90000-0x0000000001DD0000-memory.dmpFilesize
256KB
-
memory/2340-369-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2340-335-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2340-334-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2576-226-0x0000000000310000-0x0000000000350000-memory.dmpFilesize
256KB
-
memory/2576-227-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2576-225-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2576-236-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2624-1965-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2624-1955-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2624-1963-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2624-1968-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2624-1961-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2624-1959-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2624-1957-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2660-380-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2660-372-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2660-371-0x00000000020E0000-0x0000000002120000-memory.dmpFilesize
256KB
-
memory/2660-370-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2732-27-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2732-80-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2732-29-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2732-28-0x0000000002130000-0x0000000002170000-memory.dmpFilesize
256KB
-
memory/2756-12-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2756-26-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2756-14-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2756-13-0x00000000002D0000-0x0000000000310000-memory.dmpFilesize
256KB
-
memory/2796-321-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2796-287-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2796-284-0x00000000001F0000-0x0000000000230000-memory.dmpFilesize
256KB
-
memory/2796-286-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2868-223-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/2868-1-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/2868-0-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2972-417-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2972-382-0x0000000001E40000-0x0000000001E80000-memory.dmpFilesize
256KB
-
memory/2972-381-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/2972-383-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/3064-95-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/3064-465-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/3064-431-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/3064-81-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/3064-82-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB
-
memory/3064-430-0x0000000001FA0000-0x0000000001FE0000-memory.dmpFilesize
256KB
-
memory/3064-429-0x00000000709F0000-0x0000000070F9B000-memory.dmpFilesize
5.7MB