Analysis

  • max time kernel
    550s
  • max time network
    525s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 12:18

General

  • Target

    gamesense crack.rar

  • Size

    8.9MB

  • MD5

    5d6bb82b4aee939f88f5b7c268e39ad0

  • SHA1

    b940594fbc56b00464d030c58ed8a5dd4dd3765a

  • SHA256

    52e6b23b06e40d27f1ddfee92af9286f7cd466c331bcbb3ebeba402b38874c58

  • SHA512

    0f9e758839cd0f13b0d097817de5b273cb2e85eae132fe4fb1f403265dea6c987ee6f264ba514b58d55b2d6883179693dc60baeeb53809c892d6f71bcfa2a7c4

  • SSDEEP

    6144:TFUmJOJu/3f+BLtABPDdNF6daduZTjAHUtVU141V6GIeyXuRA1D0C1XF:TFUmxZNQxZTjA0tEY69eyXT1DjXF

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/850434657128677426/NKtzHjpXTc8DWd5W7crWJQCaeVPSDZfP98WZ2JMx4BYhJfWt9hwb4ZsH-AtwJO41HgKu

Extracted

Family

njrat

Version

0.7d

Botnet

Anonymus

C2

hakim32.ddns.net:2000

82.202.167.67:5552

Mutex

891eb3526ecd6f2db1ef6d8512ec6014

Attributes
  • reg_key

    891eb3526ecd6f2db1ef6d8512ec6014

  • splitter

    |'|'|

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 64 IoCs
  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 21 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\gamesense crack.rar"
    1⤵
    • Modifies registry class
    PID:4460
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:2324
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1660
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:4256
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\gamesense crack.rar"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1112
    • C:\Users\Admin\Desktop\gamesense loader 2.exe
      "C:\Users\Admin\Desktop\gamesense loader 2.exe"
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5116
    • C:\Users\Admin\Desktop\gamesense loader.exe
      "C:\Users\Admin\Desktop\gamesense loader.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4304
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
          3⤵
            PID:2716
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
            3⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:4844
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4148
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:224
            • C:\Users\Admin\AppData\Local\Temp\server.exe
              "C:\Users\Admin\AppData\Local\Temp\server.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4104
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                5⤵
                  PID:2444
                • C:\Windows\SysWOW64\netsh.exe
                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                  5⤵
                    PID:4152
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                    5⤵
                      PID:2344
                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:3712
                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                        6⤵
                        • Checks computer location settings
                        • Drops startup file
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Drops file in Program Files directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2600
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                          7⤵
                          • Modifies Windows Firewall
                          PID:4668
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                          7⤵
                            PID:3124
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                            7⤵
                            • Modifies Windows Firewall
                            PID:4780
                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                            7⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:5064
                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                              8⤵
                              • Checks computer location settings
                              • Drops startup file
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:512
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                9⤵
                                  PID:4048
                                • C:\Windows\SysWOW64\netsh.exe
                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                  9⤵
                                    PID:2468
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                    9⤵
                                      PID:4464
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                      9⤵
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:2792
                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                        10⤵
                                        • Drops startup file
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Drops file in Program Files directory
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:408
                                        • C:\Windows\SysWOW64\netsh.exe
                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                          11⤵
                                          • Event Triggered Execution: Netsh Helper DLL
                                          PID:3744
                                        • C:\Windows\SysWOW64\netsh.exe
                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                          11⤵
                                            PID:5028
                                          • C:\Windows\SysWOW64\netsh.exe
                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                            11⤵
                                              PID:3096
                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                              11⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              PID:852
                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                12⤵
                                                • Drops startup file
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • Drops file in Program Files directory
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4196
                                                • C:\Windows\SysWOW64\netsh.exe
                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                  13⤵
                                                    PID:4712
                                                  • C:\Windows\SysWOW64\netsh.exe
                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                    13⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:1888
                                                  • C:\Windows\SysWOW64\netsh.exe
                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                    13⤵
                                                    • Modifies Windows Firewall
                                                    • Event Triggered Execution: Netsh Helper DLL
                                                    PID:1104
                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                    13⤵
                                                    • Executes dropped EXE
                                                    PID:4072
                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                      14⤵
                                                      • Drops startup file
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3248
                                                      • C:\Windows\SysWOW64\netsh.exe
                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                        15⤵
                                                          PID:1572
                                                        • C:\Windows\SysWOW64\netsh.exe
                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                          15⤵
                                                            PID:1372
                                                          • C:\Windows\SysWOW64\netsh.exe
                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                            15⤵
                                                            • Modifies Windows Firewall
                                                            PID:1788
                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                            15⤵
                                                            • Executes dropped EXE
                                                            PID:4676
                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                              16⤵
                                                              • Drops startup file
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • Drops file in Program Files directory
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3244
                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                17⤵
                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                PID:3648
                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                17⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:512
                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                17⤵
                                                                  PID:2468
                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                  17⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  PID:3924
                                                                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                    18⤵
                                                                    • Drops startup file
                                                                    • Executes dropped EXE
                                                                    • Drops file in Program Files directory
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1284
                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                      19⤵
                                                                        PID:1084
                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                        19⤵
                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:4128
                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                        19⤵
                                                                        • Modifies Windows Firewall
                                                                        PID:2692
                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                        19⤵
                                                                        • Executes dropped EXE
                                                                        PID:864
                                                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                          20⤵
                                                                          • Drops startup file
                                                                          • Executes dropped EXE
                                                                          • Drops file in Program Files directory
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1016
                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                            21⤵
                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                            PID:3844
                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                            21⤵
                                                                            • Modifies Windows Firewall
                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                            PID:1972
                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                            21⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2108
                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                            21⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            PID:2312
                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                              22⤵
                                                                              • Drops startup file
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:692
                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                23⤵
                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                PID:3104
                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                23⤵
                                                                                  PID:4368
                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                  23⤵
                                                                                    PID:1092
                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:3240
                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                      24⤵
                                                                                      • Checks computer location settings
                                                                                      • Drops startup file
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • Drops file in Program Files directory
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1780
                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                        25⤵
                                                                                        • Modifies Windows Firewall
                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                        PID:4564
                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                        25⤵
                                                                                          PID:2300
                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                          25⤵
                                                                                          • Modifies Windows Firewall
                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                          PID:512
                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                          25⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          PID:4992
                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                            26⤵
                                                                                            • Drops startup file
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in Program Files directory
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:876
                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                              27⤵
                                                                                              • Modifies Windows Firewall
                                                                                              PID:4044
                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                              27⤵
                                                                                              • Modifies Windows Firewall
                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                              PID:4436
                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                              27⤵
                                                                                              • Modifies Windows Firewall
                                                                                              PID:5028
                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                              27⤵
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:3824
                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                28⤵
                                                                                                • Checks computer location settings
                                                                                                • Drops startup file
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • Drops file in Program Files directory
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:3392
                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                  29⤵
                                                                                                    PID:1480
                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                    29⤵
                                                                                                      PID:3204
                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                      29⤵
                                                                                                        PID:1104
                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                        29⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        PID:3560
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Drops startup file
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • Drops file in Program Files directory
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:4584
                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                            31⤵
                                                                                                            • Modifies Windows Firewall
                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                            PID:412
                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                            31⤵
                                                                                                              PID:908
                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                              31⤵
                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                              PID:4304
                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                              31⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:2264
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                32⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • Drops file in Program Files directory
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:2992
                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                  33⤵
                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                  PID:3924
                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                  33⤵
                                                                                                                    PID:1240
                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                    33⤵
                                                                                                                    • Modifies Windows Firewall
                                                                                                                    PID:532
                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                    33⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:456
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                      34⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • Drops file in Program Files directory
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:1200
                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                        35⤵
                                                                                                                          PID:3516
                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                          35⤵
                                                                                                                            PID:916
                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                            35⤵
                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                            PID:2632
                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                            35⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:2472
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                              36⤵
                                                                                                                              • Drops startup file
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • Drops file in Program Files directory
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1664
                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                37⤵
                                                                                                                                  PID:2508
                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                  37⤵
                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                  PID:2084
                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                  37⤵
                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                  PID:3296
                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                  37⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:4048
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                    38⤵
                                                                                                                                    • Checks computer location settings
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:3520
                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                      39⤵
                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:1752
                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                      39⤵
                                                                                                                                        PID:1136
                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                        39⤵
                                                                                                                                          PID:2484
                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                          39⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          PID:448
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                            40⤵
                                                                                                                                            • Checks computer location settings
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:1748
                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                              41⤵
                                                                                                                                                PID:4464
                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                41⤵
                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                PID:532
                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                41⤵
                                                                                                                                                  PID:4592
                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                  41⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:456
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                    42⤵
                                                                                                                                                    • Checks computer location settings
                                                                                                                                                    • Drops startup file
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                    PID:4928
                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                      43⤵
                                                                                                                                                        PID:4956
                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                        43⤵
                                                                                                                                                          PID:3728
                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                          43⤵
                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                          PID:1920
                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                          43⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          PID:8
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                            44⤵
                                                                                                                                                            • Drops startup file
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                            PID:3968
                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                              45⤵
                                                                                                                                                                PID:1452
                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                45⤵
                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                PID:2600
                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                45⤵
                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:2508
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                45⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:432
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                  46⤵
                                                                                                                                                                  • Drops startup file
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                  PID:4304
                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                    47⤵
                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                    PID:3020
                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                    47⤵
                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                    PID:4676
                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                    47⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:3528
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                    47⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:2640
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                      48⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                      PID:448
                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                        49⤵
                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                        PID:4152
                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                        49⤵
                                                                                                                                                                          PID:2288
                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                          49⤵
                                                                                                                                                                            PID:5052
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                            49⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:4592
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                              50⤵
                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                              PID:2232
                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                51⤵
                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                PID:4108
                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                51⤵
                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:1160
                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                51⤵
                                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                PID:892
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                51⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                PID:4816
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                  52⤵
                                                                                                                                                                                  • Drops startup file
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                  PID:3104
                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                    53⤵
                                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                    PID:928
                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                    53⤵
                                                                                                                                                                                      PID:1012
                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                      53⤵
                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                      PID:2272
                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                      53⤵
                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:2512
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                        54⤵
                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                        • Drops startup file
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                        PID:4492
                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                          55⤵
                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                          PID:412
                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                          55⤵
                                                                                                                                                                                            PID:640
                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                            55⤵
                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:3020
                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                            55⤵
                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:1864
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                              56⤵
                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:436
                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                57⤵
                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                PID:2896
                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                57⤵
                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                PID:864
                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                57⤵
                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:3220
                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                57⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                PID:1932
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                  58⤵
                                                                                                                                                                                                  • Drops startup file
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                  PID:184
                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                    59⤵
                                                                                                                                                                                                      PID:64
                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                      59⤵
                                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                      PID:4712
                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                      59⤵
                                                                                                                                                                                                        PID:4548
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                        59⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        PID:4360
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                          60⤵
                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:1332
                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                            61⤵
                                                                                                                                                                                                              PID:3788
                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                              61⤵
                                                                                                                                                                                                                PID:3184
                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                61⤵
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                PID:3408
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                61⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                PID:4364
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                  62⤵
                                                                                                                                                                                                                  • Drops startup file
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:2716
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                    63⤵
                                                                                                                                                                                                                      PID:228
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                      63⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:1168
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                      63⤵
                                                                                                                                                                                                                        PID:2948
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                        63⤵
                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        PID:2320
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                          64⤵
                                                                                                                                                                                                                          • Drops startup file
                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                          PID:4992
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                            65⤵
                                                                                                                                                                                                                              PID:4068
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                              65⤵
                                                                                                                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                              PID:1260
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                              65⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:3188
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                              65⤵
                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                              PID:1672
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                66⤵
                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                PID:2620
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                  67⤵
                                                                                                                                                                                                                                    PID:4780
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                    67⤵
                                                                                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                    PID:4276
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                    67⤵
                                                                                                                                                                                                                                      PID:1956
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                      67⤵
                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                      PID:4424
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                        68⤵
                                                                                                                                                                                                                                        • Drops startup file
                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:2668
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                          69⤵
                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                          PID:1456
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                          69⤵
                                                                                                                                                                                                                                            PID:540
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                            69⤵
                                                                                                                                                                                                                                              PID:3648
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                              69⤵
                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                              PID:2692
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                70⤵
                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                • Drops startup file
                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                PID:4848
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                  71⤵
                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                  PID:1244
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                  71⤵
                                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                  PID:800
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                  71⤵
                                                                                                                                                                                                                                                    PID:760
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                    71⤵
                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                    PID:2976
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                      72⤵
                                                                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                      PID:5100
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                        73⤵
                                                                                                                                                                                                                                                          PID:3824
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                          73⤵
                                                                                                                                                                                                                                                            PID:1584
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                            73⤵
                                                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                                                            PID:3108
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                            73⤵
                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:396
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                              74⤵
                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                              • Drops startup file
                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                              PID:2420
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                75⤵
                                                                                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                                                                                PID:2632
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                75⤵
                                                                                                                                                                                                                                                                  PID:4780
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                  75⤵
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  PID:1200
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                  75⤵
                                                                                                                                                                                                                                                                    PID:2620
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                      76⤵
                                                                                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                      PID:1888
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                        77⤵
                                                                                                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                        PID:4924
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                        77⤵
                                                                                                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                        PID:3296
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                        77⤵
                                                                                                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                                                                                                        PID:2916
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                        77⤵
                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                        PID:4360
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                          78⤵
                                                                                                                                                                                                                                                                          • Drops startup file
                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                          PID:1340
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                            79⤵
                                                                                                                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                            PID:5096
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                            79⤵
                                                                                                                                                                                                                                                                              PID:908
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                              79⤵
                                                                                                                                                                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                              PID:2948
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                              79⤵
                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                              PID:924
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                80⤵
                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                PID:2400
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                  81⤵
                                                                                                                                                                                                                                                                                    PID:3220
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                    81⤵
                                                                                                                                                                                                                                                                                      PID:4592
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                      81⤵
                                                                                                                                                                                                                                                                                        PID:448
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                        81⤵
                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                        PID:392
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                          82⤵
                                                                                                                                                                                                                                                                                          • Drops startup file
                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                          PID:1132
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                            83⤵
                                                                                                                                                                                                                                                                                              PID:916
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                              83⤵
                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                              PID:860
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                              83⤵
                                                                                                                                                                                                                                                                                                PID:4228
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                83⤵
                                                                                                                                                                                                                                                                                                  PID:2516
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                    84⤵
                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                    • Drops startup file
                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                    PID:4080
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                      85⤵
                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                      PID:3440
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                      85⤵
                                                                                                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                      PID:3384
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                      85⤵
                                                                                                                                                                                                                                                                                                        PID:1204
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                        85⤵
                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                        PID:928
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                          86⤵
                                                                                                                                                                                                                                                                                                          • Drops startup file
                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                          PID:996
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                            87⤵
                                                                                                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                            PID:2640
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                            87⤵
                                                                                                                                                                                                                                                                                                              PID:912
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                              87⤵
                                                                                                                                                                                                                                                                                                                PID:1656
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                87⤵
                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                PID:1168
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                  88⤵
                                                                                                                                                                                                                                                                                                                  • Drops startup file
                                                                                                                                                                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                  PID:1048
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                    89⤵
                                                                                                                                                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                    PID:4992
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                    89⤵
                                                                                                                                                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                    PID:2208
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                    89⤵
                                                                                                                                                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                    PID:1084
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                    89⤵
                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                    PID:4120
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                      90⤵
                                                                                                                                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                      PID:2680
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                        91⤵
                                                                                                                                                                                                                                                                                                                          PID:4020
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                          91⤵
                                                                                                                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                          PID:4548
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                          91⤵
                                                                                                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                          PID:1836
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                          91⤵
                                                                                                                                                                                                                                                                                                                            PID:1720
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                              92⤵
                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                              PID:2232
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                93⤵
                                                                                                                                                                                                                                                                                                                                  PID:3844
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                  PID:4804
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                                                                                                                                                    PID:4788
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                    93⤵
                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                    PID:4104
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                      94⤵
                                                                                                                                                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                      PID:4796
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                        95⤵
                                                                                                                                                                                                                                                                                                                                          PID:1440
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                          95⤵
                                                                                                                                                                                                                                                                                                                                            PID:408
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                            95⤵
                                                                                                                                                                                                                                                                                                                                              PID:4368
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                              95⤵
                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                              PID:4176
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                96⤵
                                                                                                                                                                                                                                                                                                                                                  PID:2468
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                    97⤵
                                                                                                                                                                                                                                                                                                                                                      PID:532
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                      97⤵
                                                                                                                                                                                                                                                                                                                                                        PID:1932
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                        97⤵
                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                        PID:5052
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                        97⤵
                                                                                                                                                                                                                                                                                                                                                          PID:512
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                            98⤵
                                                                                                                                                                                                                                                                                                                                                            • Drops startup file
                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                            PID:3824
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                              99⤵
                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                              PID:4860
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                              99⤵
                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                              PID:4980
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                              99⤵
                                                                                                                                                                                                                                                                                                                                                                PID:2392
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                99⤵
                                                                                                                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                PID:4772
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                  100⤵
                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                  PID:1836
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                    101⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:3880
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                      101⤵
                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                      PID:1904
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                      101⤵
                                                                                                                                                                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                      PID:3764
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                      101⤵
                                                                                                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                      PID:4604
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                        102⤵
                                                                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                        PID:3312
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                          103⤵
                                                                                                                                                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                          PID:4456
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                          103⤵
                                                                                                                                                                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                          PID:3112
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                          103⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:3896
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                            103⤵
                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                            PID:2320
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                              104⤵
                                                                                                                                                                                                                                                                                                                                                                              • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                              PID:3380
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                105⤵
                                                                                                                                                                                                                                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                PID:228
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                105⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:4516
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                  105⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:4152
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                    105⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                    PID:3400
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                      106⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                      PID:548
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                        PID:5048
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                        PID:4656
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                        PID:1016
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                        PID:976
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                          108⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                          PID:848
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:4984
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                              109⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                              PID:64
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                              109⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:2592
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                109⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:1688
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    110⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                    • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                    PID:3764
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                      111⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                      PID:1872
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                      111⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:4116
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                        111⤵
                                                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                        PID:4312
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                        111⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:3244
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            112⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                            PID:2140
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                              113⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4304
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                113⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3552
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                  113⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1244
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                  113⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4396
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                      114⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2200
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                        115⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3164
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                          115⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4864
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                          115⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4352
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                          115⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4660
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            116⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1756
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                              117⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:872
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                              117⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                              117⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:364
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                117⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3516
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                    118⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3504
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                      119⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5072
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      119⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4604
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                      119⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5060
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      119⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4104
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                          120⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1304
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                            121⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1484
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                            121⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:408
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                            121⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:208
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                            121⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2652
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                              122⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4716
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                123⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4980
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                123⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3360
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                  123⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2548
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    123⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4920
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                      124⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4060
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                        125⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4224
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        125⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1804
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                        125⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4084
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          125⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:404
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            126⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2384
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                              127⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2344
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                127⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  127⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  127⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1144
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    128⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3204
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      129⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      129⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      129⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      129⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2056
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        130⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4368
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          131⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          131⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          131⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            131⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              132⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3208
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                133⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  133⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  133⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    133⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        134⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1968
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          135⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          135⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          135⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          135⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            136⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              137⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              137⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1876
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              137⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              137⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  138⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    139⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    139⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    139⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    139⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        140⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          141⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          141⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          141⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            141⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              142⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                143⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                143⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  143⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3380
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    143⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        144⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1184
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          145⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          145⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            145⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            145⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3148
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              146⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                147⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                147⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                147⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                147⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  148⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2392
                                                                                                                                                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                                              "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                              PID:4724
                                                                                                                                                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                                              "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                              PID:4484
                                                                                                                                                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                                              "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                              PID:696
                                                                                                                                                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                                              "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                              PID:4404
                                                                                                                                                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                                              "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              PID:4340
                                                                                                                                                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                                              "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                                                                              PID:2264
                                                                                                                                                                                                                            • C:\Windows\System32\resmon.exe
                                                                                                                                                                                                                              "C:\Windows\System32\resmon.exe"
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:4980
                                                                                                                                                                                                                                • C:\Windows\System32\perfmon.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\perfmon.exe" /res
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                                                  PID:3188
                                                                                                                                                                                                                              • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                                                "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                                                PID:3056

                                                                                                                                                                                                                              Network

                                                                                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\44\Process.txt

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                1KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                158233b523e30166649bc1e85f0b1a89

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                c43bb3dcc5fdcb181fb6c6c1eaed01d044c3be2d

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                353f7df002c7000f6d8644b0bbd570930f23d389e998b52d320e4f7c48c0d411

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                7c3ab1f771382f8c80727caa49df65f82a6061755681cac908254ef92b20f9538b618a5a6c5440a249aa60f757ba17825621f80c7527e6fe33a88f14951eb9b8

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                d2fb266b97caff2086bf0fa74eddb6b2

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                f49655f856acb8884cc0ace29216f511

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                944B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                6bd369f7c74a28194c991ed1404da30f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                496B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                a4467dea22bfd7e0083d680c571f5e7c

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                59682ca656f04dd57f7ef4552b96f71d73196ea2

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                d165b248678c73e289a7d4a8aa74acc5c09408e58b8f2abd668013ca12c00cc4

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                73d25a179994c16b2b3a357e8b068ebf415418033cd601d7084b3a44d822cb99c33c396c9a27ad6fa2066748032e21f09ce89461bc3180ec071d2d64e68ad790

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                408B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                661cab77d3b907e8057f2e689e995af3

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\melt.txt

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                44B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                298802dff6aa26d4fb941c7ccf5c0849

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                11e518ca3409f1863ebc2d3f1be9fb701bad52c0

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\app

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                5B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                2099bb64fd1770d321df364f99b658d1

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                3124edeaa14c060becfa8b980ed77db15d56a9e3

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                d53ce6bdbd0c3cb4596ac3103f15824570a9858da95f63cedf64cec11dc44e2d

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                3481f2a02f7b1255ad0f3cd8a716de9c7414753b6f8657f0bf99738ff6623f8717469bc10e737d6c0d1d13846e726d50baeb5e8ef73efcfce7be5c63327c4895

                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\gamesense loader 2.exe

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                274KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                cfbcc27a1f00d7c734f03bb166836c8b

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                500a3e664976fea881997381b0d9b8337adea9ee

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                9e32f2a3e32335a0787dc706e717253486cde7902f0268f6513f84fb20ebd45b

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                d2c5b5b60c5bd0dbcc2359e860be4ce1beec5326d181483d28ab7c71d964bb990bcca5d0592347135bad73961412cf81924687aa85305e58dc8ab0e95e9a0538

                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\gamesense loader.exe

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                93KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                f7de0e1eae40992be6d2f38dbd64385f

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                5fffe1832df1adcf75646f89e1f7ec0e4ee38414

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                cf2b8e0a38841addb9d2078a94d4d06f2ca1ad591227ca943bb77106835dfa6c

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                46ec22d0458d1c938cce6156eaff05a592139b6addd785ca007cd3f9d3a850d772bdd3d844568a8b4b86bdf92c9bb0bdc562d279b5380d88dd5e222987f90648

                                                                                                                                                                                                                              • memory/2264-2210-0x0000022486DD0000-0x0000022486DD1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/2264-2205-0x0000022486DD0000-0x0000022486DD1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/2264-2207-0x0000022486DD0000-0x0000022486DD1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/2264-2204-0x0000022486DD0000-0x0000022486DD1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/2264-2208-0x0000022486DD0000-0x0000022486DD1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/2264-2209-0x0000022486DD0000-0x0000022486DD1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/2264-2211-0x0000022486DD0000-0x0000022486DD1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/2264-2203-0x0000022486DD0000-0x0000022486DD1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/2264-2212-0x0000022486DD0000-0x0000022486DD1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/3056-2644-0x0000013F22D40000-0x0000013F22D41000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/3056-2645-0x0000013F22D40000-0x0000013F22D41000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/3056-2647-0x0000013F22D40000-0x0000013F22D41000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/3056-2643-0x0000013F22D40000-0x0000013F22D41000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/4724-195-0x00000281EACB0000-0x00000281EACB1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/4724-185-0x00000281EACB0000-0x00000281EACB1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/4724-194-0x00000281EACB0000-0x00000281EACB1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/4724-193-0x00000281EACB0000-0x00000281EACB1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/4724-183-0x00000281EACB0000-0x00000281EACB1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/4724-196-0x00000281EACB0000-0x00000281EACB1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/4724-199-0x00000281EACB0000-0x00000281EACB1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/4724-198-0x00000281EACB0000-0x00000281EACB1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/4724-197-0x00000281EACB0000-0x00000281EACB1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/4724-184-0x00000281EACB0000-0x00000281EACB1000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                              • memory/5116-7-0x0000000000860000-0x00000000008AA000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                296KB