596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23de

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23deN.exe
Size

92KB
MD5

50dc90e5deb892a3ce56a22ea460da30
SHA1

98bcb8f0077f0a053a0ef3de0f4db61af9788d06
SHA256

596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23de
SHA512

5a0cd62538fbf998c0e7406b5832c897c09835e80de7cb078882640cd8e78d75f9a178392fe565c7786b0db831f0c4e4f9869b6d9ca8cb28596398fae03d02b2
SSDEEP

1536:HVyoNlCss8VB/IckKynaBG7ctwPHetky:H3Sss8VB/7maBG7QwPet

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2640	netsh.exe
2468	netsh.exe
1624	netsh.exe
1672	netsh.exe
2136	netsh.exe
1608	netsh.exe
848	netsh.exe
592	netsh.exe
2872	netsh.exe
2736	netsh.exe
1556	netsh.exe
2068	netsh.exe
1552	netsh.exe
772	netsh.exe
2260	netsh.exe
612	netsh.exe
2116	netsh.exe
1496	netsh.exe
292	netsh.exe
2220	netsh.exe
848	netsh.exe
2804	netsh.exe
2628	netsh.exe
2796	netsh.exe
772	netsh.exe
1000	netsh.exe
532	netsh.exe
552	netsh.exe
2540	netsh.exe
2732	netsh.exe
1244	netsh.exe
2784	netsh.exe
848	netsh.exe
760	netsh.exe
2588	netsh.exe
2840	netsh.exe
1812	netsh.exe
2528	netsh.exe
844	netsh.exe
1920	netsh.exe
2320	netsh.exe
2140	netsh.exe
2652	netsh.exe
1580	netsh.exe
1608	netsh.exe
1912	netsh.exe
880	netsh.exe
1660	netsh.exe
2988	netsh.exe
764	netsh.exe
2076	netsh.exe
2344	netsh.exe
2964	netsh.exe
2472	netsh.exe
2176	netsh.exe
1492	netsh.exe
2936	netsh.exe
2596	netsh.exe
1184	netsh.exe
1976	netsh.exe
2656	netsh.exe
2984	netsh.exe
2100	netsh.exe
2616	netsh.exe

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51a09fa092e6e4d22122c270053bf3acWindows Defender.exe	server.exe

Executes dropped EXE 64 IoCs

pid	Process
1788	server.exe
2780	svchost.exe
1652	server.exe
1064	svchost.exe
1588	server.exe
1584	svchost.exe
1932	server.exe
2960	svchost.exe
1148	server.exe
1824	svchost.exe
2792	server.exe
1312	svchost.exe
2868	server.exe
1788	svchost.exe
3024	server.exe
2708	svchost.exe
2068	server.exe
2692	svchost.exe
1984	server.exe
2164	svchost.exe
2988	server.exe
1732	svchost.exe
1192	server.exe
1520	svchost.exe
2432	server.exe
2648	svchost.exe
2896	server.exe
1904	svchost.exe
1744	server.exe
2200	svchost.exe
1192	server.exe
2072	svchost.exe
1156	server.exe
1908	svchost.exe
2896	server.exe
1700	svchost.exe
464	server.exe
2224	svchost.exe
1780	server.exe
2024	svchost.exe
2764	server.exe
1968	svchost.exe
960	server.exe
2076	svchost.exe
1980	server.exe
2536	svchost.exe
2428	server.exe
2984	svchost.exe
404	server.exe
1704	svchost.exe
2660	server.exe
1812	svchost.exe
1708	server.exe
2800	svchost.exe
1792	server.exe
2416	svchost.exe
2324	server.exe
880	svchost.exe
2280	server.exe
1996	svchost.exe
2980	server.exe
2220	svchost.exe
2896	server.exe
1444	svchost.exe

Loads dropped DLL 64 IoCs

pid	Process
1788	server.exe
1788	server.exe
1652	server.exe
1652	server.exe
1588	server.exe
1588	server.exe
1932	server.exe
1932	server.exe
1148	server.exe
1148	server.exe
2792	server.exe
2792	server.exe
2868	server.exe
2868	server.exe
3024	server.exe
3024	server.exe
2068	server.exe
2068	server.exe
1984	server.exe
1984	server.exe
2988	server.exe
2988	server.exe
1192	server.exe
1192	server.exe
2432	server.exe
2432	server.exe
2896	server.exe
2896	server.exe
1744	server.exe
1744	server.exe
1192	server.exe
1192	server.exe
1156	server.exe
1156	server.exe
2896	server.exe
2896	server.exe
464	server.exe
464	server.exe
1780	server.exe
1780	server.exe
2764	server.exe
2764	server.exe
960	server.exe
960	server.exe
1980	server.exe
1980	server.exe
2428	server.exe
2428	server.exe
404	server.exe
404	server.exe
2660	server.exe
2660	server.exe
1708	server.exe
1708	server.exe
1792	server.exe
1792	server.exe
2324	server.exe
2324	server.exe
2280	server.exe
2280	server.exe
2980	server.exe
2980	server.exe
2896	server.exe
2896	server.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe
File created	C:\autorun.inf	server.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23deN.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe
1788	server.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	server.exe
Token: SeDebugPrivilege	1652	server.exe
Token: SeDebugPrivilege	1588	server.exe
Token: SeDebugPrivilege	1932	server.exe
Token: SeDebugPrivilege	1148	server.exe
Token: SeDebugPrivilege	2792	server.exe
Token: SeDebugPrivilege	2868	server.exe
Token: SeDebugPrivilege	3024	server.exe
Token: SeDebugPrivilege	2068	server.exe
Token: SeDebugPrivilege	1984	server.exe
Token: SeDebugPrivilege	2988	server.exe
Token: SeDebugPrivilege	1192	server.exe
Token: SeDebugPrivilege	2432	server.exe
Token: SeDebugPrivilege	2896	server.exe
Token: SeDebugPrivilege	1744	server.exe
Token: SeDebugPrivilege	1192	server.exe
Token: SeDebugPrivilege	1156	server.exe
Token: SeDebugPrivilege	2896	server.exe
Token: SeDebugPrivilege	464	server.exe
Token: SeDebugPrivilege	1780	server.exe
Token: SeDebugPrivilege	2764	server.exe
Token: SeDebugPrivilege	960	server.exe
Token: SeDebugPrivilege	1980	server.exe
Token: SeDebugPrivilege	2428	server.exe
Token: SeDebugPrivilege	404	server.exe
Token: SeDebugPrivilege	2660	server.exe
Token: SeDebugPrivilege	1708	server.exe
Token: SeDebugPrivilege	1792	server.exe
Token: SeDebugPrivilege	2324	server.exe
Token: SeDebugPrivilege	2280	server.exe
Token: SeDebugPrivilege	2980	server.exe
Token: SeDebugPrivilege	2896	server.exe
Token: SeDebugPrivilege	2324	server.exe
Token: SeDebugPrivilege	1356	server.exe
Token: SeDebugPrivilege	1912	server.exe
Token: SeDebugPrivilege	1140	server.exe
Token: SeDebugPrivilege	2324	server.exe
Token: SeDebugPrivilege	2736	server.exe
Token: SeDebugPrivilege	1736	server.exe
Token: SeDebugPrivilege	292	server.exe
Token: SeDebugPrivilege	1776	server.exe
Token: SeDebugPrivilege	1904	server.exe
Token: SeDebugPrivilege	2060	server.exe
Token: SeDebugPrivilege	2820	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1788	1076	596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23deN.exe	30
PID 1076 wrote to memory of 1788	1076	596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23deN.exe	30
PID 1076 wrote to memory of 1788	1076	596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23deN.exe	30
PID 1076 wrote to memory of 1788	1076	596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23deN.exe	30
PID 1788 wrote to memory of 2876	1788	server.exe	31
PID 1788 wrote to memory of 2876	1788	server.exe	31
PID 1788 wrote to memory of 2876	1788	server.exe	31
PID 1788 wrote to memory of 2876	1788	server.exe	31
PID 1788 wrote to memory of 2784	1788	server.exe	33
PID 1788 wrote to memory of 2784	1788	server.exe	33
PID 1788 wrote to memory of 2784	1788	server.exe	33
PID 1788 wrote to memory of 2784	1788	server.exe	33
PID 1788 wrote to memory of 2616	1788	server.exe	34
PID 1788 wrote to memory of 2616	1788	server.exe	34
PID 1788 wrote to memory of 2616	1788	server.exe	34
PID 1788 wrote to memory of 2616	1788	server.exe	34
PID 1788 wrote to memory of 2780	1788	server.exe	37
PID 1788 wrote to memory of 2780	1788	server.exe	37
PID 1788 wrote to memory of 2780	1788	server.exe	37
PID 1788 wrote to memory of 2780	1788	server.exe	37
PID 2780 wrote to memory of 1652	2780	svchost.exe	38
PID 2780 wrote to memory of 1652	2780	svchost.exe	38
PID 2780 wrote to memory of 1652	2780	svchost.exe	38
PID 2780 wrote to memory of 1652	2780	svchost.exe	38
PID 1652 wrote to memory of 1660	1652	server.exe	39
PID 1652 wrote to memory of 1660	1652	server.exe	39
PID 1652 wrote to memory of 1660	1652	server.exe	39
PID 1652 wrote to memory of 1660	1652	server.exe	39
PID 1652 wrote to memory of 848	1652	server.exe	41
PID 1652 wrote to memory of 848	1652	server.exe	41
PID 1652 wrote to memory of 848	1652	server.exe	41
PID 1652 wrote to memory of 848	1652	server.exe	41
PID 1652 wrote to memory of 808	1652	server.exe	42
PID 1652 wrote to memory of 808	1652	server.exe	42
PID 1652 wrote to memory of 808	1652	server.exe	42
PID 1652 wrote to memory of 808	1652	server.exe	42
PID 1652 wrote to memory of 1064	1652	server.exe	45
PID 1652 wrote to memory of 1064	1652	server.exe	45
PID 1652 wrote to memory of 1064	1652	server.exe	45
PID 1652 wrote to memory of 1064	1652	server.exe	45
PID 1064 wrote to memory of 1588	1064	svchost.exe	46
PID 1064 wrote to memory of 1588	1064	svchost.exe	46
PID 1064 wrote to memory of 1588	1064	svchost.exe	46
PID 1064 wrote to memory of 1588	1064	svchost.exe	46
PID 1588 wrote to memory of 772	1588	server.exe	47
PID 1588 wrote to memory of 772	1588	server.exe	47
PID 1588 wrote to memory of 772	1588	server.exe	47
PID 1588 wrote to memory of 772	1588	server.exe	47
PID 1588 wrote to memory of 1740	1588	server.exe	49
PID 1588 wrote to memory of 1740	1588	server.exe	49
PID 1588 wrote to memory of 1740	1588	server.exe	49
PID 1588 wrote to memory of 1740	1588	server.exe	49
PID 1588 wrote to memory of 764	1588	server.exe	50
PID 1588 wrote to memory of 764	1588	server.exe	50
PID 1588 wrote to memory of 764	1588	server.exe	50
PID 1588 wrote to memory of 764	1588	server.exe	50
PID 1588 wrote to memory of 1584	1588	server.exe	53
PID 1588 wrote to memory of 1584	1588	server.exe	53
PID 1588 wrote to memory of 1584	1588	server.exe	53
PID 1588 wrote to memory of 1584	1588	server.exe	53
PID 1584 wrote to memory of 1932	1584	svchost.exe	54
PID 1584 wrote to memory of 1932	1584	svchost.exe	54
PID 1584 wrote to memory of 1932	1584	svchost.exe	54
PID 1584 wrote to memory of 1932	1584	svchost.exe	54

C:\Users\Admin\AppData\Local\Temp\596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23deN.exe
"C:\Users\Admin\AppData\Local\Temp\596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23deN.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\server.exe
  "C:\Windows\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Windows\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2784
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\server.exe
      "C:\Windows\server.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1660
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:848
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        5⤵
        
        PID:808
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        8⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        9⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2960
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        11⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        13⤵
        Modifies Windows Firewall
        
        PID:1812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        13⤵
        Modifies Windows Firewall
        
        PID:552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        14⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        15⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        15⤵
        
        PID:672
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1788
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        16⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        17⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        18⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        19⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1492
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        19⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        19⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        20⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        21⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        21⤵
        Modifies Windows Firewall
        
        PID:2260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2164
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        22⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        23⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        23⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2136
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1732
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        24⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        25⤵
        Modifies Windows Firewall
        
        PID:1608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        25⤵
        Modifies Windows Firewall
        
        PID:848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        25⤵
        Modifies Windows Firewall
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1520
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        26⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        27⤵
        Modifies Windows Firewall
        
        PID:2736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        27⤵
        Modifies Windows Firewall
        
        PID:2528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        27⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        29⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2672
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        29⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        29⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        30⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        31⤵
        Modifies Windows Firewall
        
        PID:844
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2200
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        33⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        33⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        33⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2072
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        34⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        35⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        35⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2344
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        35⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1908
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        36⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        37⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        37⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        37⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1700
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        38⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        39⤵
        
        PID:568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        39⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        39⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        40⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        41⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        41⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        41⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        41⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        42⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        43⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        43⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        43⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        44⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        45⤵
        
        PID:780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        45⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        45⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2076
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        47⤵
        Modifies Windows Firewall
        
        PID:1672
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        47⤵
        Modifies Windows Firewall
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2536
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        48⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        49⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        49⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        49⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        49⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        50⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        51⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        51⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        51⤵
        Modifies Windows Firewall
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        52⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        53⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        53⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        53⤵
        Modifies Windows Firewall
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        54⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1548
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        55⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2800
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        56⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        57⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        57⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        57⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2416
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        58⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        59⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        59⤵
        Modifies Windows Firewall
        
        PID:2652
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        59⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        60⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        61⤵
        Modifies Windows Firewall
        
        PID:2804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        61⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        63⤵
        Modifies Windows Firewall
        
        PID:612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        63⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        63⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2220
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        64⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        65⤵
        Modifies Windows Firewall
        
        PID:2068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        65⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        66⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        67⤵
        Modifies Windows Firewall
        
        PID:532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        67⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        67⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        67⤵
        Drops file in Windows directory
        
        PID:2420
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        68⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        69⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1296
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        69⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        69⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        69⤵
        
        PID:2796
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        70⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        71⤵
        Modifies Windows Firewall
        
        PID:2116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        71⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        71⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        71⤵
        
        PID:1600
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        72⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        73⤵
        Modifies Windows Firewall
        
        PID:1976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        73⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        73⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        73⤵
        Drops file in Windows directory
        
        PID:2540
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        74⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        75⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        75⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        75⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        75⤵
        Drops file in Windows directory
        
        PID:2288
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        76⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        77⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        77⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        77⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        77⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        78⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        79⤵
        
        PID:564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        79⤵
        Modifies Windows Firewall
        
        PID:2220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        79⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        79⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        80⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        81⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        81⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1244
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        81⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        81⤵
        Drops file in Windows directory
        
        PID:3056
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        82⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        83⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        83⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        83⤵
        Drops file in Windows directory
        
        PID:2636
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        84⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        85⤵
        Modifies Windows Firewall
        
        PID:2320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        85⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        85⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        85⤵
        Drops file in Windows directory
        
        PID:2880
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        86⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        87⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        87⤵
        Modifies Windows Firewall
        
        PID:848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        87⤵
        Modifies Windows Firewall
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        87⤵
        Drops file in Windows directory
        
        PID:2340
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        88⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        89⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        89⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        89⤵
        Modifies Windows Firewall
        
        PID:880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        89⤵
        
        PID:2432
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        90⤵
        
        PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
21B

MD5
28e4dd4093f543ce9c85dc38111b8e4d

SHA1
8607d0131f30e6246088ae3e3aeb58b6405fb65e

SHA256
0944e1d01a6e4926eb610353fb63f4ec70c3cc91dd03a49f90a256b67da9c3d1

SHA512
10e4e647856e37ad280acf3b283095f73fd5ccb40bf38cfa2a7e0040970efc39c553f30d2b06da1c55004a6a02145db36d032356fdabc2f533a9df52052d7ea3

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
02b81b0cbe1faaa1fa62d5fc876ab443

SHA1
d473cfe21fb1f188689415b0bdd239688f8fddd9

SHA256
e7e9e2c247bc872bacce77661c78f001a17d70ee3130a9016a5818da9da00cdb

SHA512
592ab5b200d4c560951cb70288dc1b7a562f0cbfaee01ce03076b6934d537b88575c2e1e0fedcc05db95e6c224ca739923e7d74f9165e683f3fbad7bbf641784

Download Submit
C:\Windows\server.exe

Filesize
92KB

MD5
50dc90e5deb892a3ce56a22ea460da30

SHA1
98bcb8f0077f0a053a0ef3de0f4db61af9788d06

SHA256
596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23de

SHA512
5a0cd62538fbf998c0e7406b5832c897c09835e80de7cb078882640cd8e78d75f9a178392fe565c7786b0db831f0c4e4f9869b6d9ca8cb28596398fae03d02b2

Download Submit
memory/1076-1-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/1076-2-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/1076-12-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/1076-0-0x0000000074D51000-0x0000000074D52000-memory.dmp

Filesize
4KB

Download
memory/1788-15-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-14-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-66-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-13-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2276-1325-0x00000000777F0000-0x000000007790F000-memory.dmp

Filesize
1.1MB

Download
memory/2276-1326-0x0000000077910000-0x0000000077A0A000-memory.dmp

Filesize
1000KB

Download