njrat | 5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1.exe
Size

93KB
MD5

c6d44b4f274fb0b1a0c1b3c5d2ca7f56
SHA1

74d08d1b9ffc4d590ce3da49bb7733bc56bf2e47
SHA256

5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1
SHA512

79b669667be9fe824e14d566133d46a016e2bb0ed202be75a9c10b0a808d20a6fb91cf649f1324936447f82cd314b6e564726265dac0f102a62177afc75971e1
SSDEEP

1536:++zSyh6zaoFjuF0VR5jEwzGi1dDzDHgS:++AzaujucRWi1dDA

Score

10^/10

njrat victim discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Victim

hakim32.ddns.net:2000

who-premier.gl.at.ply.gg:41489

Mutex

81a450f9bb0676b239d695d97260d385

Attributes

reg_key
81a450f9bb0676b239d695d97260d385
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2636	netsh.exe
1744	netsh.exe
2876	netsh.exe
1344	netsh.exe
2096	netsh.exe
2752	netsh.exe
2200	netsh.exe
2212	netsh.exe
1592	netsh.exe
2056	netsh.exe
2308	netsh.exe
2772	netsh.exe
2604	netsh.exe
2360	netsh.exe
2044	netsh.exe
2940	netsh.exe
3048	netsh.exe
936	netsh.exe
2632	netsh.exe
1648	netsh.exe
1576	netsh.exe
2400	netsh.exe
2588	netsh.exe
2752	netsh.exe
1544	netsh.exe
2564	netsh.exe
2088	netsh.exe
2580	netsh.exe
2024	netsh.exe
2024	netsh.exe
552	netsh.exe
2028	netsh.exe
2472	netsh.exe
1028	netsh.exe
1576	netsh.exe
712	netsh.exe
1156	netsh.exe
2244	netsh.exe
2180	netsh.exe
1684	netsh.exe
2004	netsh.exe
1012	netsh.exe
2408	netsh.exe
1948	netsh.exe
2508	netsh.exe
1724	netsh.exe
2260	netsh.exe
2432	netsh.exe
1980	netsh.exe
2912	netsh.exe
996	netsh.exe
1336	netsh.exe
2388	netsh.exe
2004	netsh.exe
1740	netsh.exe
680	netsh.exe
1684	netsh.exe
2632	netsh.exe
536	netsh.exe
2888	netsh.exe
1364	netsh.exe
1408	netsh.exe
1656	netsh.exe
1248	netsh.exe

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81a450f9bb0676b239d695d97260d385Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 64 IoCs

pid	Process
1256	server.exe
2832	svchost.exe
2096	server.exe
408	svchost.exe
1620	server.exe
1580	svchost.exe
2716	server.exe
3052	svchost.exe
1320	server.exe
2504	svchost.exe
1612	server.exe
2940	svchost.exe
2712	server.exe
2844	svchost.exe
1604	server.exe
380	svchost.exe
1356	server.exe
2336	svchost.exe
2440	server.exe
2720	svchost.exe
1996	server.exe
1980	server.exe
1408	svchost.exe
1812	server.exe
1536	svchost.exe
2772	server.exe
2732	svchost.exe
2644	server.exe
864	svchost.exe
2956	server.exe
1404	svchost.exe
3056	server.exe
2760	svchost.exe
2848	server.exe
2684	svchost.exe
2260	server.exe
2012	svchost.exe
1920	server.exe
2056	svchost.exe
1736	server.exe
1664	svchost.exe
2500	server.exe
1012	svchost.exe
2088	server.exe
1364	svchost.exe
788	server.exe
2180	svchost.exe
1520	server.exe
1660	svchost.exe
1452	server.exe
1184	svchost.exe
2220	server.exe
2688	svchost.exe
2016	server.exe
1624	svchost.exe
1636	server.exe
2240	svchost.exe
2796	server.exe
1492	svchost.exe
2200	server.exe
1592	svchost.exe
2324	server.exe
1752	svchost.exe
2684	server.exe

Loads dropped DLL 64 IoCs

pid	Process
3024	5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1.exe
3024	5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1.exe
1256	server.exe
1256	server.exe
2832	svchost.exe
2832	svchost.exe
2096	server.exe
2096	server.exe
408	svchost.exe
408	svchost.exe
1620	server.exe
1620	server.exe
1580	svchost.exe
1580	svchost.exe
2716	server.exe
2716	server.exe
3052	svchost.exe
3052	svchost.exe
1320	server.exe
1320	server.exe
2504	svchost.exe
2504	svchost.exe
1612	server.exe
1612	server.exe
2940	svchost.exe
2940	svchost.exe
2712	server.exe
2712	server.exe
2844	svchost.exe
2844	svchost.exe
1604	server.exe
1604	server.exe
380	svchost.exe
380	svchost.exe
1356	server.exe
1356	server.exe
2336	svchost.exe
2336	svchost.exe
2440	server.exe
2440	server.exe
2720	svchost.exe
2720	svchost.exe
3048	svchost.exe
3048	svchost.exe
1980	server.exe
1980	server.exe
1408	svchost.exe
1408	svchost.exe
1812	server.exe
1812	server.exe
1536	svchost.exe
1536	svchost.exe
2772	server.exe
2772	server.exe
2732	svchost.exe
2732	svchost.exe
2644	server.exe
2644	server.exe
864	svchost.exe
864	svchost.exe
2956	server.exe
2956	server.exe
1404	svchost.exe
1404	svchost.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File created	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	server.exe

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File created	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe
File opened for modification	C:\Program Files (x86)\svhost.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe
1256	server.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	1256	server.exe
Token: SeDebugPrivilege	2096	server.exe
Token: SeDebugPrivilege	1620	server.exe
Token: SeDebugPrivilege	2716	server.exe
Token: SeDebugPrivilege	1320	server.exe
Token: SeDebugPrivilege	1612	server.exe
Token: SeDebugPrivilege	2712	server.exe
Token: SeDebugPrivilege	1604	server.exe
Token: SeDebugPrivilege	1356	server.exe
Token: SeDebugPrivilege	2440	server.exe
Token: SeDebugPrivilege	1980	server.exe
Token: SeDebugPrivilege	1812	server.exe
Token: SeDebugPrivilege	2772	server.exe
Token: SeDebugPrivilege	2644	server.exe
Token: SeDebugPrivilege	2956	server.exe
Token: SeDebugPrivilege	3056	server.exe
Token: SeDebugPrivilege	2848	server.exe
Token: SeDebugPrivilege	2260	server.exe
Token: SeDebugPrivilege	1920	server.exe
Token: SeDebugPrivilege	1736	server.exe
Token: SeDebugPrivilege	2500	server.exe
Token: SeDebugPrivilege	2088	server.exe
Token: SeDebugPrivilege	788	server.exe
Token: SeDebugPrivilege	1520	server.exe
Token: SeDebugPrivilege	1452	server.exe
Token: SeDebugPrivilege	2220	server.exe
Token: SeDebugPrivilege	2016	server.exe
Token: SeDebugPrivilege	1636	server.exe
Token: SeDebugPrivilege	2796	server.exe
Token: SeDebugPrivilege	2200	server.exe
Token: SeDebugPrivilege	2324	server.exe
Token: SeDebugPrivilege	2684	server.exe
Token: SeDebugPrivilege	2028	server.exe
Token: SeDebugPrivilege	1336	server.exe
Token: SeDebugPrivilege	952	server.exe
Token: SeDebugPrivilege	1248	server.exe
Token: SeDebugPrivilege	2812	server.exe
Token: SeDebugPrivilege	1708	server.exe
Token: SeDebugPrivilege	1944	server.exe
Token: SeDebugPrivilege	1880	server.exe
Token: SeDebugPrivilege	236	server.exe
Token: SeDebugPrivilege	1660	server.exe
Token: SeDebugPrivilege	2400	server.exe
Token: SeDebugPrivilege	1408	server.exe
Token: SeDebugPrivilege	1680	server.exe
Token: SeDebugPrivilege	1548	server.exe
Token: SeDebugPrivilege	2068	server.exe
Token: SeDebugPrivilege	2944	server.exe
Token: SeDebugPrivilege	616	server.exe
Token: SeDebugPrivilege	2752	server.exe
Token: SeDebugPrivilege	2568	server.exe
Token: SeDebugPrivilege	2300	server.exe
Token: SeDebugPrivilege	2980	server.exe
Token: SeDebugPrivilege	1636	server.exe
Token: SeDebugPrivilege	2072	server.exe
Token: SeDebugPrivilege	1224	server.exe
Token: SeDebugPrivilege	2988	server.exe
Token: SeDebugPrivilege	2680	server.exe
Token: SeDebugPrivilege	2900	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1256	3024	5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1.exe	31
PID 3024 wrote to memory of 1256	3024	5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1.exe	31
PID 3024 wrote to memory of 1256	3024	5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1.exe	31
PID 3024 wrote to memory of 1256	3024	5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1.exe	31
PID 1256 wrote to memory of 3044	1256	server.exe	32
PID 1256 wrote to memory of 3044	1256	server.exe	32
PID 1256 wrote to memory of 3044	1256	server.exe	32
PID 1256 wrote to memory of 3044	1256	server.exe	32
PID 1256 wrote to memory of 2888	1256	server.exe	34
PID 1256 wrote to memory of 2888	1256	server.exe	34
PID 1256 wrote to memory of 2888	1256	server.exe	34
PID 1256 wrote to memory of 2888	1256	server.exe	34
PID 1256 wrote to memory of 1344	1256	server.exe	35
PID 1256 wrote to memory of 1344	1256	server.exe	35
PID 1256 wrote to memory of 1344	1256	server.exe	35
PID 1256 wrote to memory of 1344	1256	server.exe	35
PID 1256 wrote to memory of 2832	1256	server.exe	38
PID 1256 wrote to memory of 2832	1256	server.exe	38
PID 1256 wrote to memory of 2832	1256	server.exe	38
PID 1256 wrote to memory of 2832	1256	server.exe	38
PID 2832 wrote to memory of 2096	2832	svchost.exe	39
PID 2832 wrote to memory of 2096	2832	svchost.exe	39
PID 2832 wrote to memory of 2096	2832	svchost.exe	39
PID 2832 wrote to memory of 2096	2832	svchost.exe	39
PID 2096 wrote to memory of 1096	2096	server.exe	40
PID 2096 wrote to memory of 1096	2096	server.exe	40
PID 2096 wrote to memory of 1096	2096	server.exe	40
PID 2096 wrote to memory of 1096	2096	server.exe	40
PID 2096 wrote to memory of 2400	2096	server.exe	42
PID 2096 wrote to memory of 2400	2096	server.exe	42
PID 2096 wrote to memory of 2400	2096	server.exe	42
PID 2096 wrote to memory of 2400	2096	server.exe	42
PID 2096 wrote to memory of 2092	2096	server.exe	44
PID 2096 wrote to memory of 2092	2096	server.exe	44
PID 2096 wrote to memory of 2092	2096	server.exe	44
PID 2096 wrote to memory of 2092	2096	server.exe	44
PID 2096 wrote to memory of 408	2096	server.exe	46
PID 2096 wrote to memory of 408	2096	server.exe	46
PID 2096 wrote to memory of 408	2096	server.exe	46
PID 2096 wrote to memory of 408	2096	server.exe	46
PID 408 wrote to memory of 1620	408	svchost.exe	47
PID 408 wrote to memory of 1620	408	svchost.exe	47
PID 408 wrote to memory of 1620	408	svchost.exe	47
PID 408 wrote to memory of 1620	408	svchost.exe	47
PID 1620 wrote to memory of 1048	1620	server.exe	48
PID 1620 wrote to memory of 1048	1620	server.exe	48
PID 1620 wrote to memory of 1048	1620	server.exe	48
PID 1620 wrote to memory of 1048	1620	server.exe	48
PID 1620 wrote to memory of 896	1620	server.exe	50
PID 1620 wrote to memory of 896	1620	server.exe	50
PID 1620 wrote to memory of 896	1620	server.exe	50
PID 1620 wrote to memory of 896	1620	server.exe	50
PID 1620 wrote to memory of 1932	1620	server.exe	51
PID 1620 wrote to memory of 1932	1620	server.exe	51
PID 1620 wrote to memory of 1932	1620	server.exe	51
PID 1620 wrote to memory of 1932	1620	server.exe	51
PID 1620 wrote to memory of 1580	1620	server.exe	54
PID 1620 wrote to memory of 1580	1620	server.exe	54
PID 1620 wrote to memory of 1580	1620	server.exe	54
PID 1620 wrote to memory of 1580	1620	server.exe	54
PID 1580 wrote to memory of 2716	1580	svchost.exe	55
PID 1580 wrote to memory of 2716	1580	svchost.exe	55
PID 1580 wrote to memory of 2716	1580	svchost.exe	55
PID 1580 wrote to memory of 2716	1580	svchost.exe	55

C:\Users\Admin\AppData\Local\Temp\5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1.exe
"C:\Users\Admin\AppData\Local\Temp\5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2888
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1344
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2400
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        
        PID:2092
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:408
      - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        7⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        8⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        9⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        9⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        11⤵
        Modifies Windows Firewall
        
        PID:552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        13⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        13⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        14⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        15⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1932
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        15⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        15⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        16⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        
        PID:1684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        17⤵
        Modifies Windows Firewall
        
        PID:2028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        17⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        19⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        19⤵
        Modifies Windows Firewall
        
        PID:2096
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        20⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        21⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        21⤵
        Modifies Windows Firewall
        
        PID:2432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        23⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        23⤵
        Modifies Windows Firewall
        
        PID:2360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        23⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        25⤵
        Modifies Windows Firewall
        
        PID:2752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        25⤵
        Modifies Windows Firewall
        
        PID:2388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        27⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        27⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        28⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        29⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        30⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        31⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        32⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        33⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        33⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        33⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        34⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        35⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        35⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        36⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        37⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        37⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        37⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        37⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        38⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        39⤵
        Modifies Windows Firewall
        
        PID:3048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        39⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        39⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        39⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        41⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        41⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        41⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        41⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        42⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        43⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        43⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        44⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        45⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        45⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        45⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        46⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        47⤵
        Modifies Windows Firewall
        
        PID:1980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        47⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        47⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        48⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        49⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        49⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2820
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        51⤵
        
        PID:636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        51⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        51⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        52⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        53⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        53⤵
        Modifies Windows Firewall
        
        PID:1012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        53⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        54⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        55⤵
        Modifies Windows Firewall
        
        PID:2912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        55⤵
        Modifies Windows Firewall
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        55⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        57⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        57⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        57⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        57⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        58⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        59⤵
        
        PID:884
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        59⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        59⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        59⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        60⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        61⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        61⤵
        Modifies Windows Firewall
        
        PID:2088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        61⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        61⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        62⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        63⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1844
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        63⤵
        Modifies Windows Firewall
        
        PID:1576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        63⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        63⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        65⤵
        Modifies Windows Firewall
        
        PID:680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        65⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        65⤵
        Modifies Windows Firewall
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        66⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        67⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        67⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        67⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        68⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        69⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        69⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        69⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        69⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        70⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        71⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        71⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        71⤵
        Modifies Windows Firewall
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        71⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        72⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        73⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        73⤵
        
        PID:532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        73⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        73⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        74⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        75⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        75⤵
        Modifies Windows Firewall
        
        PID:1744
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        75⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        76⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        77⤵
        Modifies Windows Firewall
        
        PID:2876
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        77⤵
        Modifies Windows Firewall
        
        PID:2632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        77⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        77⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        78⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        79⤵
        Modifies Windows Firewall
        
        PID:2508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        79⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        79⤵
        Modifies Windows Firewall
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        79⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        80⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        81⤵
        Modifies Windows Firewall
        
        PID:1724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        81⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        81⤵
        Modifies Windows Firewall
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        81⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        82⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        83⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        83⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        83⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        83⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        84⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        85⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        85⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        85⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        85⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        86⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        87⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        87⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        87⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        87⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        88⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        89⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        89⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2008
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        89⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        89⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        90⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        91⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        91⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        91⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        92⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        93⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        93⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        93⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        93⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        94⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        95⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        95⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        95⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        96⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        97⤵
        Modifies Windows Firewall
        
        PID:1248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        97⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        98⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        99⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        99⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        99⤵
        Modifies Windows Firewall
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        99⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        100⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        101⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        101⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:996
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        101⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        102⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        103⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        103⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        103⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        104⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        105⤵
        Modifies Windows Firewall
        
        PID:1028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        105⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        105⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        106⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        107⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        107⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        107⤵
        Modifies Windows Firewall
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        107⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        108⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        109⤵
        Modifies Windows Firewall
        
        PID:2180
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        109⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        109⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        109⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        110⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        111⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        111⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        111⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        111⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        112⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        113⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        113⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        113⤵
        Modifies Windows Firewall
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        113⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        114⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        115⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        115⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        115⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        116⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        117⤵
        Modifies Windows Firewall
        
        PID:1544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        117⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        117⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        117⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        118⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        119⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        119⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        119⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        119⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        120⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        121⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1604
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        121⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        121⤵
        Modifies Windows Firewall
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        122⤵
        
        PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
44B

MD5
298802dff6aa26d4fb941c7ccf5c0849

SHA1
11e518ca3409f1863ebc2d3f1be9fb701bad52c0

SHA256
df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

SHA512
0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
a65a8cc18c0fdcac3b78ed8f032e2f98

SHA1
9087f7aaf4edf3b132348b1e5dfa7a678d57d40e

SHA256
ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a

SHA512
8e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
c6d44b4f274fb0b1a0c1b3c5d2ca7f56

SHA1
74d08d1b9ffc4d590ce3da49bb7733bc56bf2e47

SHA256
5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1

SHA512
79b669667be9fe824e14d566133d46a016e2bb0ed202be75a9c10b0a808d20a6fb91cf649f1324936447f82cd314b6e564726265dac0f102a62177afc75971e1

Download Submit
memory/1256-15-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-16-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-62-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/3024-0-0x0000000074751000-0x0000000074752000-memory.dmp

Filesize
4KB

Download
memory/3024-1-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/3024-2-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/3024-14-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download