2ffc5d7602a7c79b149f2dc4fe9d4ae8f1e38bf8ebc5a07029451871e243de10

Analysis

max time kernel
150s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dde43cdcb278b5fe4d8970da4fb31cf.exe
Size

93KB
MD5

1dde43cdcb278b5fe4d8970da4fb31cf
SHA1

98d8bdf90eda8545e6674033932af4443cf072ac
SHA256

2ffc5d7602a7c79b149f2dc4fe9d4ae8f1e38bf8ebc5a07029451871e243de10
SHA512

f199cce436129133bcdb39aca5ecf393a7fadc0a10bc38978dad94c3a41429299b49973796edeffb8b016182ca1c213ec1f175085c381adaa807190d6287f27a
SSDEEP

1536:N+RnEoSnsqS5ut9YDR8SjEwzGi1dDeDVgS:N+tSnsqS5uTYD+7i1dwi

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3972	netsh.exe
4244	netsh.exe
388	netsh.exe
4856	netsh.exe
2932	netsh.exe
3516	netsh.exe
1480	netsh.exe
2368	netsh.exe
5096	netsh.exe
2752	netsh.exe
4864	netsh.exe
4032	netsh.exe
400	netsh.exe
1596	netsh.exe
3008	netsh.exe
4808	netsh.exe
4372	netsh.exe
4236	netsh.exe
3492	netsh.exe
2432	netsh.exe
1572	netsh.exe
2776	netsh.exe
3876	netsh.exe
4984	netsh.exe
4676	netsh.exe
3384	netsh.exe
3720	netsh.exe
4804	netsh.exe
2544	netsh.exe
4076	netsh.exe
4900	netsh.exe
4268	netsh.exe
3048	netsh.exe
3792	netsh.exe
4808	netsh.exe
3192	netsh.exe
2176	netsh.exe
1156	netsh.exe
1896	netsh.exe
3536	netsh.exe
1864	netsh.exe
3284	netsh.exe
2884	netsh.exe
4672	netsh.exe
3516	netsh.exe
3884	netsh.exe
4004	netsh.exe
4520	netsh.exe
4408	netsh.exe
3396	netsh.exe
5024	netsh.exe
4312	netsh.exe
1396	netsh.exe
4228	netsh.exe
944	netsh.exe
4960	netsh.exe
2284	netsh.exe
3136	netsh.exe
2236	netsh.exe
3696	netsh.exe
4636	netsh.exe
3668	netsh.exe
5004	netsh.exe
4952	netsh.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	server.exe

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8654a281c9f4fdd6b7fb66d728ad2a41Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 64 IoCs

pid	Process
1652	server.exe
3972	svchost.exe
4960	server.exe
4036	svchost.exe
220	server.exe
4676	svchost.exe
4312	server.exe
2452	svchost.exe
4700	server.exe
4344	svchost.exe
1524	server.exe
3008	svchost.exe
4636	server.exe
3168	svchost.exe
4832	server.exe
2752	svchost.exe
4644	server.exe
3656	svchost.exe
1760	server.exe
3912	svchost.exe
4928	server.exe
860	svchost.exe
4132	server.exe
1440	svchost.exe
428	server.exe
3196	svchost.exe
1904	server.exe
2552	svchost.exe
704	server.exe
2796	svchost.exe
4152	server.exe
1572	svchost.exe
1656	server.exe
3124	svchost.exe
3212	server.exe
3456	svchost.exe
3732	server.exe
724	svchost.exe
3012	server.exe
4440	svchost.exe
2632	server.exe
1084	svchost.exe
3328	server.exe
5016	svchost.exe
4380	server.exe
516	svchost.exe
448	server.exe
3656	svchost.exe
4384	server.exe
3256	svchost.exe
2124	server.exe
4224	svchost.exe
5044	server.exe
4120	svchost.exe
1484	server.exe
2656	svchost.exe
2368	server.exe
2460	svchost.exe
4356	server.exe
3160	svchost.exe
2688	server.exe
2164	svchost.exe
512	server.exe
1656	svchost.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	1dde43cdcb278b5fe4d8970da4fb31cf.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe
1652	server.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	server.exe
Token: SeDebugPrivilege	4960	server.exe
Token: SeDebugPrivilege	220	server.exe
Token: SeDebugPrivilege	4312	server.exe
Token: SeDebugPrivilege	4700	server.exe
Token: SeDebugPrivilege	1524	server.exe
Token: SeDebugPrivilege	4636	server.exe
Token: SeDebugPrivilege	4832	server.exe
Token: SeDebugPrivilege	4644	server.exe
Token: SeDebugPrivilege	1760	server.exe
Token: SeDebugPrivilege	4928	server.exe
Token: SeDebugPrivilege	4132	server.exe
Token: SeDebugPrivilege	428	server.exe
Token: SeDebugPrivilege	1904	server.exe
Token: SeDebugPrivilege	704	server.exe
Token: SeDebugPrivilege	4152	server.exe
Token: SeDebugPrivilege	1656	server.exe
Token: SeDebugPrivilege	3212	server.exe
Token: SeDebugPrivilege	3732	server.exe
Token: SeDebugPrivilege	3012	server.exe
Token: SeDebugPrivilege	2632	server.exe
Token: SeDebugPrivilege	3328	server.exe
Token: SeDebugPrivilege	4380	server.exe
Token: SeDebugPrivilege	448	server.exe
Token: SeDebugPrivilege	4384	server.exe
Token: SeDebugPrivilege	2124	server.exe
Token: SeDebugPrivilege	5044	server.exe
Token: SeDebugPrivilege	1484	server.exe
Token: SeDebugPrivilege	2368	server.exe
Token: SeDebugPrivilege	4356	server.exe
Token: SeDebugPrivilege	2688	server.exe
Token: SeDebugPrivilege	512	server.exe
Token: SeDebugPrivilege	2332	server.exe
Token: SeDebugPrivilege	3644	server.exe
Token: SeDebugPrivilege	4356	server.exe
Token: SeDebugPrivilege	4548	server.exe
Token: SeDebugPrivilege	4440	server.exe
Token: SeDebugPrivilege	2952	server.exe
Token: SeDebugPrivilege	368	server.exe
Token: SeDebugPrivilege	4952	server.exe
Token: SeDebugPrivilege	856	server.exe
Token: SeDebugPrivilege	3044	server.exe
Token: SeDebugPrivilege	3828	server.exe
Token: SeDebugPrivilege	2796	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 1652	3444	1dde43cdcb278b5fe4d8970da4fb31cf.exe	85
PID 3444 wrote to memory of 1652	3444	1dde43cdcb278b5fe4d8970da4fb31cf.exe	85
PID 3444 wrote to memory of 1652	3444	1dde43cdcb278b5fe4d8970da4fb31cf.exe	85
PID 1652 wrote to memory of 3048	1652	server.exe	86
PID 1652 wrote to memory of 3048	1652	server.exe	86
PID 1652 wrote to memory of 3048	1652	server.exe	86
PID 1652 wrote to memory of 4596	1652	server.exe	88
PID 1652 wrote to memory of 4596	1652	server.exe	88
PID 1652 wrote to memory of 4596	1652	server.exe	88
PID 1652 wrote to memory of 3516	1652	server.exe	89
PID 1652 wrote to memory of 3516	1652	server.exe	89
PID 1652 wrote to memory of 3516	1652	server.exe	89
PID 1652 wrote to memory of 3972	1652	server.exe	92
PID 1652 wrote to memory of 3972	1652	server.exe	92
PID 1652 wrote to memory of 3972	1652	server.exe	92
PID 3972 wrote to memory of 4960	3972	svchost.exe	93
PID 3972 wrote to memory of 4960	3972	svchost.exe	93
PID 3972 wrote to memory of 4960	3972	svchost.exe	93
PID 4960 wrote to memory of 2128	4960	server.exe	94
PID 4960 wrote to memory of 2128	4960	server.exe	94
PID 4960 wrote to memory of 2128	4960	server.exe	94
PID 4960 wrote to memory of 856	4960	server.exe	96
PID 4960 wrote to memory of 856	4960	server.exe	96
PID 4960 wrote to memory of 856	4960	server.exe	96
PID 4960 wrote to memory of 4808	4960	server.exe	97
PID 4960 wrote to memory of 4808	4960	server.exe	97
PID 4960 wrote to memory of 4808	4960	server.exe	97
PID 4960 wrote to memory of 4036	4960	server.exe	100
PID 4960 wrote to memory of 4036	4960	server.exe	100
PID 4960 wrote to memory of 4036	4960	server.exe	100
PID 4036 wrote to memory of 220	4036	svchost.exe	101
PID 4036 wrote to memory of 220	4036	svchost.exe	101
PID 4036 wrote to memory of 220	4036	svchost.exe	101
PID 220 wrote to memory of 4408	220	server.exe	102
PID 220 wrote to memory of 4408	220	server.exe	102
PID 220 wrote to memory of 4408	220	server.exe	102
PID 220 wrote to memory of 2176	220	server.exe	104
PID 220 wrote to memory of 2176	220	server.exe	104
PID 220 wrote to memory of 2176	220	server.exe	104
PID 220 wrote to memory of 1660	220	server.exe	105
PID 220 wrote to memory of 1660	220	server.exe	105
PID 220 wrote to memory of 1660	220	server.exe	105
PID 220 wrote to memory of 4676	220	server.exe	108
PID 220 wrote to memory of 4676	220	server.exe	108
PID 220 wrote to memory of 4676	220	server.exe	108
PID 4676 wrote to memory of 4312	4676	svchost.exe	109
PID 4676 wrote to memory of 4312	4676	svchost.exe	109
PID 4676 wrote to memory of 4312	4676	svchost.exe	109
PID 4312 wrote to memory of 1252	4312	server.exe	110
PID 4312 wrote to memory of 1252	4312	server.exe	110
PID 4312 wrote to memory of 1252	4312	server.exe	110
PID 4312 wrote to memory of 4224	4312	server.exe	112
PID 4312 wrote to memory of 4224	4312	server.exe	112
PID 4312 wrote to memory of 4224	4312	server.exe	112
PID 4312 wrote to memory of 4864	4312	server.exe	113
PID 4312 wrote to memory of 4864	4312	server.exe	113
PID 4312 wrote to memory of 4864	4312	server.exe	113
PID 4312 wrote to memory of 2452	4312	server.exe	116
PID 4312 wrote to memory of 2452	4312	server.exe	116
PID 4312 wrote to memory of 2452	4312	server.exe	116
PID 2452 wrote to memory of 4700	2452	svchost.exe	117
PID 2452 wrote to memory of 4700	2452	svchost.exe	117
PID 2452 wrote to memory of 4700	2452	svchost.exe	117
PID 4700 wrote to memory of 2832	4700	server.exe	118

C:\Users\Admin\AppData\Local\Temp\1dde43cdcb278b5fe4d8970da4fb31cf.exe
"C:\Users\Admin\AppData\Local\Temp\1dde43cdcb278b5fe4d8970da4fb31cf.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\server.exe
  "C:\Windows\server.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3048
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Windows\server.exe"
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
    3⤵
    PID:3516
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\server.exe
      "C:\Windows\server.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        5⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        5⤵
        
        PID:856
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:4808
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:4408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        7⤵
        Modifies Windows Firewall
        
        PID:2176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        7⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        8⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        9⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        9⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        9⤵
        Modifies Windows Firewall
        
        PID:4864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        10⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        11⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        11⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        11⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4344
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        13⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        13⤵
        Modifies Windows Firewall
        
        PID:3876
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        13⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3008
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        14⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        15⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        15⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        15⤵
        Modifies Windows Firewall
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3168
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        16⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        17⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        17⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        
        PID:4804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2752
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        18⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        19⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        19⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        20⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        21⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        21⤵
        Modifies Windows Firewall
        
        PID:3792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        21⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3912
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        22⤵
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        23⤵
        Modifies Windows Firewall
        
        PID:3396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        23⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        23⤵
        Modifies Windows Firewall
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:860
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        24⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        25⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        25⤵
        Modifies Windows Firewall
        
        PID:3668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1440
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        26⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        27⤵
        Modifies Windows Firewall
        
        PID:2544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        27⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        27⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3196
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        28⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        29⤵
        Modifies Windows Firewall
        
        PID:4228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        29⤵
        Modifies Windows Firewall
        
        PID:5024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        29⤵
        Modifies Windows Firewall
        
        PID:5004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2552
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        30⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        31⤵
        Modifies Windows Firewall
        
        PID:4244
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        31⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        31⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2796
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        32⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        33⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        33⤵
        Modifies Windows Firewall
        
        PID:388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        33⤵
        Modifies Windows Firewall
        
        PID:944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1572
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        34⤵
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        35⤵
        Modifies Windows Firewall
        
        PID:4856
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        35⤵
        Modifies Windows Firewall
        
        PID:1864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        35⤵
        Modifies Windows Firewall
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3124
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        36⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        37⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        37⤵
        Modifies Windows Firewall
        
        PID:4676
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        37⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        39⤵
        Modifies Windows Firewall
        
        PID:4312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        39⤵
        Modifies Windows Firewall
        
        PID:1896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        39⤵
        Modifies Windows Firewall
        
        PID:3136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:724
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        40⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        41⤵
        Modifies Windows Firewall
        
        PID:4960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        41⤵
        Modifies Windows Firewall
        
        PID:4372
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        41⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4440
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        42⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        43⤵
        Modifies Windows Firewall
        
        PID:3972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        43⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        43⤵
        Modifies Windows Firewall
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1084
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        44⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        45⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        45⤵
        
        PID:768
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        45⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        46⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        47⤵
        Modifies Windows Firewall
        
        PID:3384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        47⤵
        
        PID:672
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        47⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:516
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        49⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        49⤵
        Modifies Windows Firewall
        
        PID:4236
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        49⤵
        Modifies Windows Firewall
        
        PID:3720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        50⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        51⤵
        Modifies Windows Firewall
        
        PID:4032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        51⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        51⤵
        Modifies Windows Firewall
        
        PID:4808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3256
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        52⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        53⤵
        Modifies Windows Firewall
        
        PID:4672
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        53⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        53⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4224
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        54⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        55⤵
        Modifies Windows Firewall
        
        PID:3516
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        55⤵
        Modifies Windows Firewall
        
        PID:2932
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        55⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4120
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        56⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        57⤵
        
        PID:748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        57⤵
        Modifies Windows Firewall
        
        PID:3536
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        57⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        57⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        58⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        59⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        59⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        59⤵
        Modifies Windows Firewall
        
        PID:3284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2460
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        60⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        61⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        61⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        61⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        62⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        63⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        63⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        63⤵
        Modifies Windows Firewall
        
        PID:400
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        64⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        65⤵
        Modifies Windows Firewall
        
        PID:3884
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        65⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        65⤵
        Modifies Windows Firewall
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1656
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        66⤵
        Drops startup file
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        67⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        67⤵
        Modifies Windows Firewall
        
        PID:4076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        67⤵
        Modifies Windows Firewall
        
        PID:4004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        67⤵
        Drops file in Windows directory
        
        PID:4032
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        68⤵
        Drops startup file
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        69⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        69⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        69⤵
        Modifies Windows Firewall
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        69⤵
        Checks computer location settings
        
        PID:1744
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        70⤵
        Checks computer location settings
        Drops startup file
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        71⤵
        Modifies Windows Firewall
        
        PID:3696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        71⤵
        Modifies Windows Firewall
        
        PID:4952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        71⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        71⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3136
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        72⤵
        Checks computer location settings
        Drops startup file
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        73⤵
        Modifies Windows Firewall
        
        PID:4900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        73⤵
        Modifies Windows Firewall
        
        PID:1572
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        73⤵
        Modifies Windows Firewall
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        73⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1428
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        74⤵
        Drops startup file
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        75⤵
        Modifies Windows Firewall
        
        PID:2432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        75⤵
        Modifies Windows Firewall
        
        PID:4268
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        75⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        75⤵
        Checks computer location settings
        
        PID:2056
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        76⤵
        Checks computer location settings
        Drops startup file
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        77⤵
        Modifies Windows Firewall
        
        PID:2368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        77⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        77⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        77⤵
        Checks computer location settings
        
        PID:2564
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        78⤵
        Drops startup file
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        79⤵
        Modifies Windows Firewall
        
        PID:4520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        79⤵
        Modifies Windows Firewall
        
        PID:5096
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        79⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        79⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:784
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        80⤵
        Checks computer location settings
        Drops startup file
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        81⤵
        Modifies Windows Firewall
        
        PID:2752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        81⤵
        Modifies Windows Firewall
        
        PID:3516
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        81⤵
        Modifies Windows Firewall
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        81⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3336
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        82⤵
        Checks computer location settings
        Drops startup file
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        83⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        83⤵
        Modifies Windows Firewall
        
        PID:3008
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        83⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        83⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3684
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        84⤵
        Checks computer location settings
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        85⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        85⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        85⤵
        Modifies Windows Firewall
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        85⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4500
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        86⤵
        Checks computer location settings
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        87⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        87⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        87⤵
        Modifies Windows Firewall
        
        PID:4636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        87⤵
        Checks computer location settings
        
        PID:3928
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        88⤵
        Drops startup file
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        89⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        89⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        89⤵
        Modifies Windows Firewall
        
        PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
496B

MD5
a4467dea22bfd7e0083d680c571f5e7c

SHA1
59682ca656f04dd57f7ef4552b96f71d73196ea2

SHA256
d165b248678c73e289a7d4a8aa74acc5c09408e58b8f2abd668013ca12c00cc4

SHA512
73d25a179994c16b2b3a357e8b068ebf415418033cd601d7084b3a44d822cb99c33c396c9a27ad6fa2066748032e21f09ce89461bc3180ec071d2d64e68ad790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
21B

MD5
28e4dd4093f543ce9c85dc38111b8e4d

SHA1
8607d0131f30e6246088ae3e3aeb58b6405fb65e

SHA256
0944e1d01a6e4926eb610353fb63f4ec70c3cc91dd03a49f90a256b67da9c3d1

SHA512
10e4e647856e37ad280acf3b283095f73fd5ccb40bf38cfa2a7e0040970efc39c553f30d2b06da1c55004a6a02145db36d032356fdabc2f533a9df52052d7ea3

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
8f11404a507cfb98455f89a534077f73

SHA1
0716c668f504450353527aff1a6457b8348cf435

SHA256
f7c301f3fcce1c2444b540090e5024f0cea1806ab8ae1d81901ecc3b63334cbb

SHA512
85403dd06da5851e8c4d727ca8d87cc0e7ff4974942ec22123366684ed0e51b543a29b6d2521e2e65784c69884fde8d711e5064f104b098293fcd18c44769492

Download Submit
C:\Windows\server.exe

Filesize
93KB

MD5
1dde43cdcb278b5fe4d8970da4fb31cf

SHA1
98d8bdf90eda8545e6674033932af4443cf072ac

SHA256
2ffc5d7602a7c79b149f2dc4fe9d4ae8f1e38bf8ebc5a07029451871e243de10

SHA512
f199cce436129133bcdb39aca5ecf393a7fadc0a10bc38978dad94c3a41429299b49973796edeffb8b016182ca1c213ec1f175085c381adaa807190d6287f27a

Download Submit
memory/1652-15-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/1652-16-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/1652-14-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/1652-47-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-0-0x0000000075202000-0x0000000075203000-memory.dmp

Filesize
4KB

Download
memory/3444-13-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-2-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-1-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download