Malware Analysis Report

2025-01-22 13:16

Sample ID 240717-dtldfatdlr
Target 5c4a70d8d23b8305cddc270ce8763240N.exe
SHA256 8887919fe07f6127f8842a8ef02d2c3c8e964046a6d5f41640e3811f520ec9db
Tags
vava2 njrat evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8887919fe07f6127f8842a8ef02d2c3c8e964046a6d5f41640e3811f520ec9db

Threat Level: Known bad

The file 5c4a70d8d23b8305cddc270ce8763240N.exe was found to be: Known bad.

Malicious Activity Summary

vava2 njrat evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Njrat family

Modifies Windows Firewall

Disables Task Manager via registry modification

Loads dropped DLL

Checks computer location settings

Drops startup file

Executes dropped EXE

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-17 03:18

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-17 03:18

Reported

2024-07-17 03:20

Platform

win7-20240704-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\server.exe N/A
File opened for modification C:\autorun.inf C:\Windows\server.exe N/A
File created F:\autorun.inf C:\Windows\server.exe N/A
File opened for modification F:\autorun.inf C:\Windows\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File created C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File created C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe C:\Windows\server.exe
PID 2072 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe C:\Windows\server.exe
PID 2072 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe C:\Windows\server.exe
PID 2072 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe C:\Windows\server.exe
PID 2148 wrote to memory of 2740 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2740 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2740 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2740 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2660 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2660 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2660 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2660 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 3040 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 3040 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 3040 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 3040 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 1724 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2148 wrote to memory of 1724 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2148 wrote to memory of 1724 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2148 wrote to memory of 1724 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1724 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 1724 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 1724 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 1724 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 2288 wrote to memory of 1232 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 1232 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 1232 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 1232 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 2324 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 2324 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 2324 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 2324 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 2312 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 2312 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 2312 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 2312 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 1356 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2288 wrote to memory of 1356 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2288 wrote to memory of 1356 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2288 wrote to memory of 1356 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1356 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 1356 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 1356 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 1356 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 1772 wrote to memory of 3064 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 3064 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 3064 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 3064 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 780 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 780 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 780 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 780 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 3052 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 3052 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 3052 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 3052 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1772 wrote to memory of 3068 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1772 wrote to memory of 3068 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1772 wrote to memory of 3068 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1772 wrote to memory of 3068 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 3068 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 3068 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 3068 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 3068 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe

"C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

Network

N/A

Files

memory/2072-0-0x0000000074491000-0x0000000074492000-memory.dmp

memory/2072-1-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/2072-2-0x0000000074490000-0x0000000074A3B000-memory.dmp

C:\Windows\server.exe

MD5 5c4a70d8d23b8305cddc270ce8763240
SHA1 ab5c00ed0693022679de26f976b3244f42ed45b4
SHA256 8887919fe07f6127f8842a8ef02d2c3c8e964046a6d5f41640e3811f520ec9db
SHA512 9c33390d92db9596660b29315617c7cbc9ec8d4029188f2f7429217a70597a785b1807649eed368a349c30eac50d9c9490f04b9bf91b290dd85dd9ef3792c797

memory/2072-12-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/2148-14-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/2148-13-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/2148-15-0x0000000074490000-0x0000000074A3B000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 69cf10399d0d1350c3698099796624cb
SHA1 d0b58b76ff065f51172971853a7da414286d9ea7
SHA256 a7bff94c7cdef50b67a3bab142ebcec4d360491e339581c41f433fec6d002f48
SHA512 5e1c9745b2b529c026e51fbff7fd4e1e0bd208c705b7da830459758d28c01b32b9bc93caa7ad60228d3e785784023d8a739fda0dab62d3c76770ea84c257f1f7

memory/2148-66-0x0000000074490000-0x0000000074A3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\melt.txt

MD5 28e4dd4093f543ce9c85dc38111b8e4d
SHA1 8607d0131f30e6246088ae3e3aeb58b6405fb65e
SHA256 0944e1d01a6e4926eb610353fb63f4ec70c3cc91dd03a49f90a256b67da9c3d1
SHA512 10e4e647856e37ad280acf3b283095f73fd5ccb40bf38cfa2a7e0040970efc39c553f30d2b06da1c55004a6a02145db36d032356fdabc2f533a9df52052d7ea3

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-17 03:18

Reported

2024-07-17 03:20

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe"

Signatures

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff5d7bf3f3023d28953b1efb3f911252Windows Update.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Windows\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Windows\server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\server.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Windows\server.exe N/A
File opened for modification F:\autorun.inf C:\Windows\server.exe N/A
File created C:\autorun.inf C:\Windows\server.exe N/A
File opened for modification C:\autorun.inf C:\Windows\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File created C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Windows\server.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File created C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Windows\server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A
File created C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
File opened for modification C:\Windows\server.exe C:\Windows\server.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A
N/A N/A C:\Windows\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe C:\Windows\server.exe
PID 2884 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe C:\Windows\server.exe
PID 2884 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe C:\Windows\server.exe
PID 1716 wrote to memory of 3952 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1716 wrote to memory of 3952 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1716 wrote to memory of 3952 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1716 wrote to memory of 3592 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1716 wrote to memory of 3592 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1716 wrote to memory of 3592 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1716 wrote to memory of 880 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1716 wrote to memory of 880 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1716 wrote to memory of 880 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1716 wrote to memory of 1376 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1716 wrote to memory of 1376 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1716 wrote to memory of 1376 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1376 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 1376 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 1376 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 5052 wrote to memory of 868 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 5052 wrote to memory of 868 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 5052 wrote to memory of 868 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 5052 wrote to memory of 1040 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 5052 wrote to memory of 1040 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 5052 wrote to memory of 1040 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 5052 wrote to memory of 5088 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 5052 wrote to memory of 5088 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 5052 wrote to memory of 5088 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 5052 wrote to memory of 4840 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 5052 wrote to memory of 4840 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 5052 wrote to memory of 4840 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 4840 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 4840 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 4840 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 2676 wrote to memory of 2440 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2676 wrote to memory of 2440 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2676 wrote to memory of 2440 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2676 wrote to memory of 1716 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2676 wrote to memory of 1716 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2676 wrote to memory of 1716 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2676 wrote to memory of 3508 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2676 wrote to memory of 3508 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2676 wrote to memory of 3508 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2676 wrote to memory of 4232 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2676 wrote to memory of 4232 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2676 wrote to memory of 4232 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 4232 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 4232 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 4232 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 1408 wrote to memory of 3884 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1408 wrote to memory of 3884 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1408 wrote to memory of 3884 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1408 wrote to memory of 3976 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1408 wrote to memory of 3976 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1408 wrote to memory of 3976 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1408 wrote to memory of 2280 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1408 wrote to memory of 2280 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1408 wrote to memory of 2280 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1408 wrote to memory of 5052 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1408 wrote to memory of 5052 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1408 wrote to memory of 5052 N/A C:\Windows\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 5052 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 5052 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 5052 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Windows\server.exe
PID 2996 wrote to memory of 1696 N/A C:\Windows\server.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe

"C:\Users\Admin\AppData\Local\Temp\5c4a70d8d23b8305cddc270ce8763240N.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\server.exe

"C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Windows\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2884-0-0x0000000075222000-0x0000000075223000-memory.dmp

memory/2884-1-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/2884-2-0x0000000075220000-0x00000000757D1000-memory.dmp

C:\Windows\server.exe

MD5 5c4a70d8d23b8305cddc270ce8763240
SHA1 ab5c00ed0693022679de26f976b3244f42ed45b4
SHA256 8887919fe07f6127f8842a8ef02d2c3c8e964046a6d5f41640e3811f520ec9db
SHA512 9c33390d92db9596660b29315617c7cbc9ec8d4029188f2f7429217a70597a785b1807649eed368a349c30eac50d9c9490f04b9bf91b290dd85dd9ef3792c797

memory/2884-13-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/1716-14-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/1716-15-0x0000000075220000-0x00000000757D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 69cf10399d0d1350c3698099796624cb
SHA1 d0b58b76ff065f51172971853a7da414286d9ea7
SHA256 a7bff94c7cdef50b67a3bab142ebcec4d360491e339581c41f433fec6d002f48
SHA512 5e1c9745b2b529c026e51fbff7fd4e1e0bd208c705b7da830459758d28c01b32b9bc93caa7ad60228d3e785784023d8a739fda0dab62d3c76770ea84c257f1f7

memory/1716-65-0x0000000075220000-0x00000000757D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

MD5 a4467dea22bfd7e0083d680c571f5e7c
SHA1 59682ca656f04dd57f7ef4552b96f71d73196ea2
SHA256 d165b248678c73e289a7d4a8aa74acc5c09408e58b8f2abd668013ca12c00cc4
SHA512 73d25a179994c16b2b3a357e8b068ebf415418033cd601d7084b3a44d822cb99c33c396c9a27ad6fa2066748032e21f09ce89461bc3180ec071d2d64e68ad790

C:\Users\Admin\AppData\Local\Temp\melt.txt

MD5 28e4dd4093f543ce9c85dc38111b8e4d
SHA1 8607d0131f30e6246088ae3e3aeb58b6405fb65e
SHA256 0944e1d01a6e4926eb610353fb63f4ec70c3cc91dd03a49f90a256b67da9c3d1
SHA512 10e4e647856e37ad280acf3b283095f73fd5ccb40bf38cfa2a7e0040970efc39c553f30d2b06da1c55004a6a02145db36d032356fdabc2f533a9df52052d7ea3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

MD5 661cab77d3b907e8057f2e689e995af3
SHA1 5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c
SHA256 8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2
SHA512 2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67