njrat | b3980e29888786493c8cad1243df744f4edf730e911d6a8725df1ab73d0a3d0f

Analysis

max time kernel
130s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe
Size

677KB
MD5

fbea1348950ebaa7d90f9d51dd0a7a9c
SHA1

9b37e6de95224163cc1378d2be066e1189fbe387
SHA256

b3980e29888786493c8cad1243df744f4edf730e911d6a8725df1ab73d0a3d0f
SHA512

ecf7f1fb093bd9b768e329b1a918484be751fb995fce22fb3fa9deeb21a08080020bd607415f1aaec5fa3087a11202c1479508dc0fa574a2a558df72d6a4d60b
SSDEEP

12288:55VfzdeGreeF09DPa5b9h7ukziWy9EUKFTZdXTZdHXTZdXTZdVfzdeGreeF09DP0:5bdm2x9ESiWy9EFFTZdXTZdHXTZdXTZ5

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

62.227.124.106:5552

Mutex

b65a1c967a241651fee52d79e3eaa41f

Attributes

reg_key
b65a1c967a241651fee52d79e3eaa41f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
2080	netsh.exe
1128	netsh.exe
2264	netsh.exe
288	netsh.exe
2704	netsh.exe
2880	netsh.exe
3008	netsh.exe
1764	netsh.exe
2672	netsh.exe
2480	netsh.exe
2120	netsh.exe
1612	netsh.exe
2816	netsh.exe
2820	netsh.exe
628	netsh.exe
2612	netsh.exe
2332	netsh.exe
3024	netsh.exe
2760	netsh.exe
1964	netsh.exe
1292	netsh.exe
1964	netsh.exe
1840	netsh.exe
2352	netsh.exe
1588	netsh.exe
876	netsh.exe
2356	netsh.exe
2056	netsh.exe
2356	netsh.exe
2052	netsh.exe
1872	netsh.exe
2936	netsh.exe
2844	netsh.exe
2796	netsh.exe
584	netsh.exe
2240	netsh.exe
808	netsh.exe
1976	netsh.exe
2012	netsh.exe
2440	netsh.exe
2532	netsh.exe
824	netsh.exe
1056	netsh.exe
796	netsh.exe
292	netsh.exe
1096	netsh.exe
2596	netsh.exe
2624	netsh.exe
1616	netsh.exe
2472	netsh.exe
560	netsh.exe
2956	netsh.exe
2612	netsh.exe
628	netsh.exe
1656	netsh.exe
772	netsh.exe
2772	netsh.exe
1748	netsh.exe
1952	netsh.exe
2084	netsh.exe
3056	netsh.exe
2512	netsh.exe
996	netsh.exe
2832	netsh.exe

Drops startup file 64 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b65a1c967a241651fee52d79e3eaa41fWindows Update.exe	server.exe

Executes dropped EXE 64 IoCs

Processes:

test.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeWservices.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exe

pid	process
2756	test.exe
2732	server.exe
3064	svchost.exe
2268	server.exe
1164	svchost.exe
1232	server.exe
2576	svchost.exe
1952	server.exe
376	svchost.exe
2796	server.exe
1736	svchost.exe
2340	server.exe
2660	svchost.exe
2972	server.exe
828	svchost.exe
3064	server.exe
2412	svchost.exe
1160	server.exe
2572	svchost.exe
2204	server.exe
2336	svchost.exe
2264	server.exe
720	svchost.exe
2280	server.exe
2996	svchost.exe
764	server.exe
2604	svchost.exe
2368	server.exe
608	svchost.exe
1100	server.exe
1808	svchost.exe
1304	server.exe
764	svchost.exe
1872	server.exe
2544	svchost.exe
1316	server.exe
2300	svchost.exe
2056	server.exe
1956	svchost.exe
2452	server.exe
2268	svchost.exe
2088	server.exe
1160	svchost.exe
1696	server.exe
572	svchost.exe
1628	Wservices.exe
2716	server.exe
2952	svchost.exe
1864	server.exe
2076	svchost.exe
2372	server.exe
1580	svchost.exe
2476	server.exe
808	svchost.exe
2916	server.exe
2416	svchost.exe
1272	server.exe
1584	svchost.exe
2776	server.exe
1528	svchost.exe
2656	server.exe
1448	svchost.exe
1736	server.exe
2936	svchost.exe

Loads dropped DLL 64 IoCs

Processes:

fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exetest.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exe

pid	process
2868	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe
2868	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe
2756	test.exe
2756	test.exe
2732	server.exe
2732	server.exe
3064	svchost.exe
3064	svchost.exe
2268	server.exe
2268	server.exe
1164	svchost.exe
1164	svchost.exe
1232	server.exe
1232	server.exe
2576	svchost.exe
2576	svchost.exe
1952	server.exe
1952	server.exe
376	svchost.exe
376	svchost.exe
2796	server.exe
2796	server.exe
1736	svchost.exe
1736	svchost.exe
2340	server.exe
2340	server.exe
2660	svchost.exe
2660	svchost.exe
2972	server.exe
2972	server.exe
828	svchost.exe
828	svchost.exe
3064	server.exe
3064	server.exe
2412	svchost.exe
2412	svchost.exe
1160	server.exe
1160	server.exe
2572	svchost.exe
2572	svchost.exe
2204	server.exe
2204	server.exe
2336	svchost.exe
2336	svchost.exe
2264	server.exe
2264	server.exe
720	svchost.exe
720	svchost.exe
2280	server.exe
2280	server.exe
2996	svchost.exe
2996	svchost.exe
764	server.exe
764	server.exe
2604	svchost.exe
2604	svchost.exe
2368	server.exe
2368	server.exe
608	svchost.exe
608	svchost.exe
1100	server.exe
1100	server.exe
1808	svchost.exe
1808	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wservices.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Wservices.exe"	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

server.exe

description	ioc	process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in System32 directory 40 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Wservices.exe

description pid process target process

PID 1628 set thread context of 2624 1628 Wservices.exe Wservices.exe

description	pid	process	target process
PID 1628 set thread context of 2624	1628	Wservices.exe	Wservices.exe

Drops file in Program Files directory 40 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe
2732	server.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2732	server.exe
Token: SeDebugPrivilege	2268	server.exe
Token: SeDebugPrivilege	1232	server.exe
Token: SeDebugPrivilege	1952	server.exe
Token: SeDebugPrivilege	2796	server.exe
Token: SeDebugPrivilege	2340	server.exe
Token: SeDebugPrivilege	2972	server.exe
Token: SeDebugPrivilege	3064	server.exe
Token: SeDebugPrivilege	1160	server.exe
Token: SeDebugPrivilege	2204	server.exe
Token: SeDebugPrivilege	2264	server.exe
Token: SeDebugPrivilege	2280	server.exe
Token: SeDebugPrivilege	764	server.exe
Token: SeDebugPrivilege	2368	server.exe
Token: SeDebugPrivilege	1100	server.exe
Token: SeDebugPrivilege	1304	server.exe
Token: SeDebugPrivilege	1872	server.exe
Token: SeDebugPrivilege	1316	server.exe
Token: SeDebugPrivilege	2056	server.exe
Token: SeDebugPrivilege	2452	server.exe
Token: SeDebugPrivilege	2088	server.exe
Token: SeDebugPrivilege	1696	server.exe
Token: SeDebugPrivilege	2716	server.exe
Token: SeDebugPrivilege	1864	server.exe
Token: SeDebugPrivilege	2372	server.exe
Token: SeDebugPrivilege	2476	server.exe
Token: SeDebugPrivilege	2916	server.exe
Token: SeDebugPrivilege	1272	server.exe
Token: SeDebugPrivilege	2776	server.exe
Token: SeDebugPrivilege	2656	server.exe
Token: SeDebugPrivilege	1736	server.exe
Token: SeDebugPrivilege	2772	server.exe
Token: SeDebugPrivilege	1544	server.exe
Token: SeDebugPrivilege	1664	server.exe
Token: SeDebugPrivilege	2816	server.exe
Token: SeDebugPrivilege	2332	server.exe
Token: SeDebugPrivilege	2124	server.exe
Token: SeDebugPrivilege	2720	server.exe
Token: SeDebugPrivilege	2768	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exetest.exeserver.exesvchost.exeserver.exesvchost.exeserver.exe

description	pid	process	target process
PID 2868 wrote to memory of 2756	2868	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe	test.exe
PID 2868 wrote to memory of 2756	2868	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe	test.exe
PID 2868 wrote to memory of 2756	2868	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe	test.exe
PID 2868 wrote to memory of 2756	2868	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe	test.exe
PID 2756 wrote to memory of 2732	2756	test.exe	server.exe
PID 2756 wrote to memory of 2732	2756	test.exe	server.exe
PID 2756 wrote to memory of 2732	2756	test.exe	server.exe
PID 2756 wrote to memory of 2732	2756	test.exe	server.exe
PID 2732 wrote to memory of 2612	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 2612	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 2612	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 2612	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 2532	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 2532	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 2532	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 2532	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 2772	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 2772	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 2772	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 2772	2732	server.exe	netsh.exe
PID 2732 wrote to memory of 3064	2732	server.exe	svchost.exe
PID 2732 wrote to memory of 3064	2732	server.exe	svchost.exe
PID 2732 wrote to memory of 3064	2732	server.exe	svchost.exe
PID 2732 wrote to memory of 3064	2732	server.exe	svchost.exe
PID 3064 wrote to memory of 2268	3064	svchost.exe	server.exe
PID 3064 wrote to memory of 2268	3064	svchost.exe	server.exe
PID 3064 wrote to memory of 2268	3064	svchost.exe	server.exe
PID 3064 wrote to memory of 2268	3064	svchost.exe	server.exe
PID 2268 wrote to memory of 876	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 876	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 876	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 876	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 584	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 584	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 584	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 584	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 824	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 824	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 824	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 824	2268	server.exe	netsh.exe
PID 2268 wrote to memory of 1164	2268	server.exe	svchost.exe
PID 2268 wrote to memory of 1164	2268	server.exe	svchost.exe
PID 2268 wrote to memory of 1164	2268	server.exe	svchost.exe
PID 2268 wrote to memory of 1164	2268	server.exe	svchost.exe
PID 1164 wrote to memory of 1232	1164	svchost.exe	server.exe
PID 1164 wrote to memory of 1232	1164	svchost.exe	server.exe
PID 1164 wrote to memory of 1232	1164	svchost.exe	server.exe
PID 1164 wrote to memory of 1232	1164	svchost.exe	server.exe
PID 1232 wrote to memory of 2240	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2240	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2240	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2240	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2536	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2536	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2536	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2536	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2052	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2052	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2052	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2052	1232	server.exe	netsh.exe
PID 1232 wrote to memory of 2576	1232	server.exe	svchost.exe
PID 1232 wrote to memory of 2576	1232	server.exe	svchost.exe
PID 1232 wrote to memory of 2576	1232	server.exe	svchost.exe
PID 1232 wrote to memory of 2576	1232	server.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2612

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Modifies Windows Firewall
PID:2532

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2772

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
5⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:876

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
6⤵
- Modifies Windows Firewall
PID:584

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:824

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
7⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
8⤵
- Modifies Windows Firewall
PID:2240

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
8⤵
PID:2536

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
8⤵
- Modifies Windows Firewall
PID:2052

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
9⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
10⤵
PID:1692

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
10⤵
- Modifies Windows Firewall
PID:2472

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
10⤵
PID:2676

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
11⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
12⤵
PID:1824

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
12⤵
PID:2044

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
12⤵
- Modifies Windows Firewall
PID:1056

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
13⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
14⤵
- Modifies Windows Firewall
PID:996

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
14⤵
- Modifies Windows Firewall
PID:2880

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
14⤵
- Modifies Windows Firewall
PID:2936

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
16⤵
- Modifies Windows Firewall
PID:1872

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
16⤵
PID:1936

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
16⤵
- Modifies Windows Firewall
PID:1964

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
17⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
18⤵
PID:2428

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
18⤵
PID:896

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
18⤵
- Modifies Windows Firewall
PID:560

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
20⤵
PID:1296

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
20⤵
- Modifies Windows Firewall
PID:3056

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
20⤵
- Modifies Windows Firewall
PID:1612

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
21⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
22⤵
- Modifies Windows Firewall
PID:2332

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
22⤵
- Modifies Windows Firewall
PID:3024

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
22⤵
- Modifies Windows Firewall
PID:2356

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
23⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
24⤵
PID:1512

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
24⤵
- Modifies Windows Firewall
PID:2832

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
24⤵
- Modifies Windows Firewall
PID:2844

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:720

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
25⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
26⤵
- Modifies Windows Firewall
PID:3008

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
26⤵
PID:112

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
26⤵
- Modifies Windows Firewall
PID:2056

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
27⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
28⤵
- Modifies Windows Firewall
PID:2956

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
28⤵
PID:2748

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
28⤵
PID:2608

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
29⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
30⤵
PID:2784

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
30⤵
PID:2724

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
30⤵
- Modifies Windows Firewall
PID:2480

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
31⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
32⤵
PID:584

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
32⤵
PID:1504

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
32⤵
- Modifies Windows Firewall
PID:2796

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
33⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
34⤵
PID:1680

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
34⤵
- Modifies Windows Firewall
PID:2612

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
34⤵
- Modifies Windows Firewall
PID:2080

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
34⤵
- Executes dropped EXE
PID:764

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
35⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
36⤵
PID:2360

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
36⤵
PID:1300

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
36⤵
- Modifies Windows Firewall
PID:808

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
36⤵
- Executes dropped EXE
PID:2544

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
37⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
38⤵
PID:1564

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
38⤵
- Modifies Windows Firewall
PID:1840

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
38⤵
- Modifies Windows Firewall
PID:2596

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
38⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
39⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
40⤵
- Modifies Windows Firewall
PID:2760

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
40⤵
PID:996

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
40⤵
PID:2052

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
40⤵
- Executes dropped EXE
PID:1956

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
41⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
42⤵
PID:2308

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
42⤵
PID:1816

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
42⤵
PID:1340

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
42⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
43⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
44⤵
PID:2960

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
44⤵
PID:1492

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
44⤵
PID:1536

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
44⤵
- Executes dropped EXE
PID:1160

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
45⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
46⤵
- Modifies Windows Firewall
PID:2352

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
46⤵
- Modifies Windows Firewall
PID:2120

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
46⤵
PID:2224

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
46⤵
- Executes dropped EXE
PID:572

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
47⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
48⤵
- Modifies Windows Firewall
PID:1964

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
48⤵
PID:2308

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
48⤵
- Modifies Windows Firewall
PID:2356

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
48⤵
- Executes dropped EXE
PID:2952

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
49⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
50⤵
- Modifies Windows Firewall
PID:796

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
50⤵
- Modifies Windows Firewall
PID:2512

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
50⤵
- Modifies Windows Firewall
PID:628

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
50⤵
- Executes dropped EXE
PID:2076

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
51⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
52⤵
- Modifies Windows Firewall
PID:1128

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
52⤵
- Modifies Windows Firewall
PID:1764

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
52⤵
PID:1348

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
52⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
53⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
54⤵
PID:2920

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
54⤵
PID:2656

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
54⤵
- Modifies Windows Firewall
PID:1976

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
54⤵
- Executes dropped EXE
PID:808

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
55⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
56⤵
- Modifies Windows Firewall
PID:1292

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
56⤵
PID:1416

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
56⤵
PID:1728

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
56⤵
- Executes dropped EXE
PID:2416

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
57⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
58⤵
PID:2584

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
58⤵
- Modifies Windows Firewall
PID:2012

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
58⤵
PID:2908

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
58⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
59⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
60⤵
PID:2748

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
60⤵
- Modifies Windows Firewall
PID:2264

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
60⤵
- Modifies Windows Firewall
PID:2624

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
60⤵
- Executes dropped EXE
PID:1528

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
61⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
62⤵
- Modifies Windows Firewall
PID:2672

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
62⤵
PID:2840

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
62⤵
- Modifies Windows Firewall
PID:1616

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
62⤵
- Executes dropped EXE
PID:1448

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
63⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
64⤵
PID:2512

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
64⤵
- Modifies Windows Firewall
PID:2816

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
64⤵
- Modifies Windows Firewall
PID:1748

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
64⤵
- Executes dropped EXE
PID:2936

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
65⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
66⤵
PID:2060

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
66⤵
- Modifies Windows Firewall
PID:288

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
66⤵
- Modifies Windows Firewall
PID:1656

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
66⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
67⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
68⤵
- Modifies Windows Firewall
PID:1952

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
68⤵
PID:1152

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
68⤵
- Modifies Windows Firewall
PID:2084

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
68⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
69⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
70⤵
PID:1688

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
70⤵
- Modifies Windows Firewall
PID:1588

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
70⤵
- Modifies Windows Firewall
PID:628

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
70⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
71⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
72⤵
- Modifies Windows Firewall
PID:292

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
72⤵
PID:2120

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
72⤵
- Modifies Windows Firewall
PID:2440

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
72⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
73⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
74⤵
- Modifies Windows Firewall
PID:2820

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
74⤵
PID:2016

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
74⤵
- Modifies Windows Firewall
PID:1096

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
74⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
75⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
76⤵
PID:2840

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
76⤵
PID:1812

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
76⤵
PID:3032

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
76⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
77⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
78⤵
- Modifies Windows Firewall
PID:2704

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
78⤵
PID:2208

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
78⤵
PID:2612

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
78⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
79⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
80⤵
PID:2428

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
80⤵
- Modifies Windows Firewall
PID:772

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
80⤵
PID:540

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
80⤵
PID:2412

C:\Users\Admin\AppData\Roaming\Wservices.exe
"C:\Users\Admin\AppData\Roaming\Wservices.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1628

C:\Users\Admin\AppData\Roaming\Wservices.exe
"C:\Users\Admin\AppData\Roaming\Wservices.exe"
3⤵
PID:2624

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt
Filesize
44B

MD5
298802dff6aa26d4fb941c7ccf5c0849

SHA1
11e518ca3409f1863ebc2d3f1be9fb701bad52c0

SHA256
df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

SHA512
0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
53ce6d1ae8885b5d12e654469f456c83

SHA1
9d8b30c523ddef4d24134072b27716bec7d94d6f

SHA256
d7ebf92ad6e3bc44fbc3cfbb234ef4afafd7ea339f712229641a2849b6f87ce2

SHA512
c15df9281e9ccbb8d30e24e751b77a030e734f8cda4bd9482d3ca02f6b23e463a8e90ddd78a582ca059e57b8d0492c22583d792bc7368094ffc06e12cd145d9d

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe
Filesize
93KB

MD5
5b5cecffd6d09aa17c582173815afd50

SHA1
20bfb5c4e4edf0900148ea309f9daf56301a8ddc

SHA256
ee19384a3d3599ab5f20eba3becd707dba301a94e383daf1248c08b4709aa230

SHA512
fe61e23dcd2acf8da0b25d206425ac5a3eab503726056605ca66a46b8ab933cd2741f7bf8353049c807284b7a146c53f27fdd78b52485573e3ef8c7f96e3d5bf

Download Submit
memory/376-285-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/376-276-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/376-275-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/376-274-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/828-428-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/828-420-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/828-419-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/828-418-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1164-152-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1164-153-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1164-166-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-224-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-169-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-168-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download
memory/1232-167-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-332-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-324-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-322-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-323-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/1952-238-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1952-239-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-237-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-273-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2268-97-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2268-96-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2268-151-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-333-0x0000000001D90000-0x0000000001DD0000-memory.dmp

Filesize
256KB

Download
memory/2340-369-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-335-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-334-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-226-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2576-227-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-225-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-236-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-1965-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2624-1955-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2624-1963-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2624-1968-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2624-1961-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-1959-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2624-1957-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2660-380-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-372-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-371-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/2660-370-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-27-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-80-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-29-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-28-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/2756-12-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-26-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-14-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-13-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2796-321-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-287-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-284-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/2796-286-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2868-223-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-1-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-0-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2972-417-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-382-0x0000000001E40000-0x0000000001E80000-memory.dmp

Filesize
256KB

Download
memory/2972-381-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-383-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-95-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-465-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-431-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-81-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-82-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-430-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download
memory/3064-429-0x00000000709F0000-0x0000000070F9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads