Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 21:45

General

  • Target

    596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23deN.exe

  • Size

    92KB

  • MD5

    50dc90e5deb892a3ce56a22ea460da30

  • SHA1

    98bcb8f0077f0a053a0ef3de0f4db61af9788d06

  • SHA256

    596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23de

  • SHA512

    5a0cd62538fbf998c0e7406b5832c897c09835e80de7cb078882640cd8e78d75f9a178392fe565c7786b0db831f0c4e4f9869b6d9ca8cb28596398fae03d02b2

  • SSDEEP

    1536:HVyoNlCss8VB/IckKynaBG7ctwPHetky:H3Sss8VB/7maBG7QwPet

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 64 IoCs
  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 35 IoCs
  • Drops file in Program Files directory 35 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23deN.exe
    "C:\Users\Admin\AppData\Local\Temp\596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23deN.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Windows\server.exe
      "C:\Windows\server.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:728
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:5008
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:5100
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3980
        • C:\Windows\server.exe
          "C:\Windows\server.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4364
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:1912
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete allowedprogram "C:\Windows\server.exe"
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:1480
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
            5⤵
              PID:1576
            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of WriteProcessMemory
              PID:4360
              • C:\Windows\server.exe
                "C:\Windows\server.exe"
                6⤵
                • Checks computer location settings
                • Drops startup file
                • Executes dropped EXE
                • Drops file in System32 directory
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2736
                • C:\Windows\SysWOW64\netsh.exe
                  netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:1632
                • C:\Windows\SysWOW64\netsh.exe
                  netsh firewall delete allowedprogram "C:\Windows\server.exe"
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:3332
                • C:\Windows\SysWOW64\netsh.exe
                  netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:4996
                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3204
                  • C:\Windows\server.exe
                    "C:\Windows\server.exe"
                    8⤵
                    • Checks computer location settings
                    • Drops startup file
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4008
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1104
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh firewall delete allowedprogram "C:\Windows\server.exe"
                      9⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:4716
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                      9⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:4820
                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                      9⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of WriteProcessMemory
                      PID:2972
                      • C:\Windows\server.exe
                        "C:\Windows\server.exe"
                        10⤵
                        • Checks computer location settings
                        • Drops startup file
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Drops file in Program Files directory
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2256
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                          11⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:3292
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh firewall delete allowedprogram "C:\Windows\server.exe"
                          11⤵
                          • Modifies Windows Firewall
                          PID:396
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                          11⤵
                          • Modifies Windows Firewall
                          PID:4024
                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                          11⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          PID:4628
                          • C:\Windows\server.exe
                            "C:\Windows\server.exe"
                            12⤵
                            • Checks computer location settings
                            • Drops startup file
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Drops file in Program Files directory
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4348
                            • C:\Windows\SysWOW64\netsh.exe
                              netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                              13⤵
                              • Event Triggered Execution: Netsh Helper DLL
                              • System Location Discovery: System Language Discovery
                              PID:3368
                            • C:\Windows\SysWOW64\netsh.exe
                              netsh firewall delete allowedprogram "C:\Windows\server.exe"
                              13⤵
                              • Modifies Windows Firewall
                              PID:116
                            • C:\Windows\SysWOW64\netsh.exe
                              netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                              13⤵
                              • Modifies Windows Firewall
                              • System Location Discovery: System Language Discovery
                              PID:5028
                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                              13⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              PID:712
                              • C:\Windows\server.exe
                                "C:\Windows\server.exe"
                                14⤵
                                • Checks computer location settings
                                • Drops startup file
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Drops file in Program Files directory
                                • Drops file in Windows directory
                                • Suspicious use of AdjustPrivilegeToken
                                PID:912
                                • C:\Windows\SysWOW64\netsh.exe
                                  netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                  15⤵
                                  • Event Triggered Execution: Netsh Helper DLL
                                  PID:4068
                                • C:\Windows\SysWOW64\netsh.exe
                                  netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                  15⤵
                                  • Modifies Windows Firewall
                                  • Event Triggered Execution: Netsh Helper DLL
                                  PID:5064
                                • C:\Windows\SysWOW64\netsh.exe
                                  netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                  15⤵
                                  • Event Triggered Execution: Netsh Helper DLL
                                  PID:3684
                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                  15⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  PID:4752
                                  • C:\Windows\server.exe
                                    "C:\Windows\server.exe"
                                    16⤵
                                    • Checks computer location settings
                                    • Drops startup file
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Drops file in Program Files directory
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4884
                                    • C:\Windows\SysWOW64\netsh.exe
                                      netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                      17⤵
                                      • Modifies Windows Firewall
                                      • System Location Discovery: System Language Discovery
                                      PID:3376
                                    • C:\Windows\SysWOW64\netsh.exe
                                      netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                      17⤵
                                      • Modifies Windows Firewall
                                      • Event Triggered Execution: Netsh Helper DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:4992
                                    • C:\Windows\SysWOW64\netsh.exe
                                      netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                      17⤵
                                      • Modifies Windows Firewall
                                      • Event Triggered Execution: Netsh Helper DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:4320
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                      17⤵
                                      • Executes dropped EXE
                                      • Drops file in Windows directory
                                      PID:4580
                                      • C:\Windows\server.exe
                                        "C:\Windows\server.exe"
                                        18⤵
                                        • Checks computer location settings
                                        • Drops startup file
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Drops file in Program Files directory
                                        • Drops file in Windows directory
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4028
                                        • C:\Windows\SysWOW64\netsh.exe
                                          netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                          19⤵
                                          • Modifies Windows Firewall
                                          PID:3556
                                        • C:\Windows\SysWOW64\netsh.exe
                                          netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                          19⤵
                                          • Modifies Windows Firewall
                                          • Event Triggered Execution: Netsh Helper DLL
                                          PID:3368
                                        • C:\Windows\SysWOW64\netsh.exe
                                          netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                          19⤵
                                          • Modifies Windows Firewall
                                          • Event Triggered Execution: Netsh Helper DLL
                                          PID:2032
                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                          19⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Drops file in Windows directory
                                          PID:2592
                                          • C:\Windows\server.exe
                                            "C:\Windows\server.exe"
                                            20⤵
                                            • Checks computer location settings
                                            • Drops startup file
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Drops file in Program Files directory
                                            • Drops file in Windows directory
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3456
                                            • C:\Windows\SysWOW64\netsh.exe
                                              netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                              21⤵
                                                PID:2132
                                              • C:\Windows\SysWOW64\netsh.exe
                                                netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                21⤵
                                                • Modifies Windows Firewall
                                                PID:3816
                                              • C:\Windows\SysWOW64\netsh.exe
                                                netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                21⤵
                                                • Modifies Windows Firewall
                                                • Event Triggered Execution: Netsh Helper DLL
                                                PID:4500
                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                21⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Drops file in Windows directory
                                                PID:4272
                                                • C:\Windows\server.exe
                                                  "C:\Windows\server.exe"
                                                  22⤵
                                                  • Checks computer location settings
                                                  • Drops startup file
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Drops file in Program Files directory
                                                  • Drops file in Windows directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1444
                                                  • C:\Windows\SysWOW64\netsh.exe
                                                    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                    23⤵
                                                    • Modifies Windows Firewall
                                                    • System Location Discovery: System Language Discovery
                                                    PID:4476
                                                  • C:\Windows\SysWOW64\netsh.exe
                                                    netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                    23⤵
                                                    • Modifies Windows Firewall
                                                    • Event Triggered Execution: Netsh Helper DLL
                                                    PID:2648
                                                  • C:\Windows\SysWOW64\netsh.exe
                                                    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                    23⤵
                                                    • Modifies Windows Firewall
                                                    • System Location Discovery: System Language Discovery
                                                    PID:4368
                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                    23⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Drops file in Windows directory
                                                    • System Location Discovery: System Language Discovery
                                                    PID:3932
                                                    • C:\Windows\server.exe
                                                      "C:\Windows\server.exe"
                                                      24⤵
                                                      • Checks computer location settings
                                                      • Drops startup file
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • Drops file in Program Files directory
                                                      • Drops file in Windows directory
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2516
                                                      • C:\Windows\SysWOW64\netsh.exe
                                                        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                        25⤵
                                                        • Modifies Windows Firewall
                                                        • System Location Discovery: System Language Discovery
                                                        PID:3200
                                                      • C:\Windows\SysWOW64\netsh.exe
                                                        netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                        25⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:60
                                                      • C:\Windows\SysWOW64\netsh.exe
                                                        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                        25⤵
                                                        • Modifies Windows Firewall
                                                        • Event Triggered Execution: Netsh Helper DLL
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2148
                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                        25⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Drops file in Windows directory
                                                        PID:116
                                                        • C:\Windows\server.exe
                                                          "C:\Windows\server.exe"
                                                          26⤵
                                                          • Checks computer location settings
                                                          • Drops startup file
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • Drops file in Program Files directory
                                                          • Drops file in Windows directory
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2488
                                                          • C:\Windows\SysWOW64\netsh.exe
                                                            netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                            27⤵
                                                            • Event Triggered Execution: Netsh Helper DLL
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2960
                                                          • C:\Windows\SysWOW64\netsh.exe
                                                            netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                            27⤵
                                                            • Modifies Windows Firewall
                                                            • Event Triggered Execution: Netsh Helper DLL
                                                            PID:3684
                                                          • C:\Windows\SysWOW64\netsh.exe
                                                            netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                            27⤵
                                                            • Modifies Windows Firewall
                                                            • Event Triggered Execution: Netsh Helper DLL
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2244
                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                            27⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Drops file in Windows directory
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3916
                                                            • C:\Windows\server.exe
                                                              "C:\Windows\server.exe"
                                                              28⤵
                                                              • Checks computer location settings
                                                              • Drops startup file
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • Drops file in Program Files directory
                                                              • Drops file in Windows directory
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:436
                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                29⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1844
                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                29⤵
                                                                • Modifies Windows Firewall
                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1632
                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                29⤵
                                                                  PID:4800
                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                  29⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Drops file in Windows directory
                                                                  PID:4224
                                                                  • C:\Windows\server.exe
                                                                    "C:\Windows\server.exe"
                                                                    30⤵
                                                                    • Checks computer location settings
                                                                    • Drops startup file
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • Drops file in Program Files directory
                                                                    • Drops file in Windows directory
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3104
                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                      netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                      31⤵
                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                      PID:3016
                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                      netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                      31⤵
                                                                      • Modifies Windows Firewall
                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                      PID:2576
                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                      netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                      31⤵
                                                                      • Modifies Windows Firewall
                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                      PID:1460
                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                      31⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Drops file in Windows directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:1688
                                                                      • C:\Windows\server.exe
                                                                        "C:\Windows\server.exe"
                                                                        32⤵
                                                                        • Checks computer location settings
                                                                        • Drops startup file
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • Drops file in Program Files directory
                                                                        • Drops file in Windows directory
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4348
                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                          netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                          33⤵
                                                                          • Modifies Windows Firewall
                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:4860
                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                          netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                          33⤵
                                                                          • Modifies Windows Firewall
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2132
                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                          netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                          33⤵
                                                                          • Modifies Windows Firewall
                                                                          PID:1252
                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                          33⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Drops file in Windows directory
                                                                          PID:1376
                                                                          • C:\Windows\server.exe
                                                                            "C:\Windows\server.exe"
                                                                            34⤵
                                                                            • Checks computer location settings
                                                                            • Drops startup file
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • Drops file in Program Files directory
                                                                            • Drops file in Windows directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3480
                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                              netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                              35⤵
                                                                              • Modifies Windows Firewall
                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:3916
                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                              netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                              35⤵
                                                                              • Modifies Windows Firewall
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:2736
                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                              netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                              35⤵
                                                                              • Modifies Windows Firewall
                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                              PID:544
                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                              35⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Drops file in Windows directory
                                                                              PID:2648
                                                                              • C:\Windows\server.exe
                                                                                "C:\Windows\server.exe"
                                                                                36⤵
                                                                                • Checks computer location settings
                                                                                • Drops startup file
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • Drops file in Program Files directory
                                                                                • Drops file in Windows directory
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:4996
                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                  netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                  37⤵
                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                  PID:5028
                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                  netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                  37⤵
                                                                                  • Modifies Windows Firewall
                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:804
                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                  netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                  37⤵
                                                                                    PID:2700
                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                    37⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    PID:3560
                                                                                    • C:\Windows\server.exe
                                                                                      "C:\Windows\server.exe"
                                                                                      38⤵
                                                                                      • Checks computer location settings
                                                                                      • Drops startup file
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • Drops file in Program Files directory
                                                                                      • Drops file in Windows directory
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:3556
                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                        39⤵
                                                                                        • Modifies Windows Firewall
                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                        PID:5008
                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                        netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                        39⤵
                                                                                        • Modifies Windows Firewall
                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                        PID:3684
                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                        39⤵
                                                                                        • Modifies Windows Firewall
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:3316
                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                        39⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in Windows directory
                                                                                        PID:4040
                                                                                        • C:\Windows\server.exe
                                                                                          "C:\Windows\server.exe"
                                                                                          40⤵
                                                                                          • Checks computer location settings
                                                                                          • Drops startup file
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • Drops file in Program Files directory
                                                                                          • Drops file in Windows directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2488
                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                            netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                            41⤵
                                                                                            • Modifies Windows Firewall
                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:4024
                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                            netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                            41⤵
                                                                                              PID:3328
                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                              netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                              41⤵
                                                                                              • Modifies Windows Firewall
                                                                                              PID:1448
                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                              41⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1140
                                                                                              • C:\Windows\server.exe
                                                                                                "C:\Windows\server.exe"
                                                                                                42⤵
                                                                                                • Checks computer location settings
                                                                                                • Drops startup file
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • Drops file in Program Files directory
                                                                                                • Drops file in Windows directory
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:884
                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                  netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                  43⤵
                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                  PID:436
                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                  netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                  43⤵
                                                                                                    PID:2312
                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                    43⤵
                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                    PID:4548
                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                    43⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in Windows directory
                                                                                                    PID:3204
                                                                                                    • C:\Windows\server.exe
                                                                                                      "C:\Windows\server.exe"
                                                                                                      44⤵
                                                                                                      • Drops startup file
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • Drops file in Program Files directory
                                                                                                      • Drops file in Windows directory
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:744
                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                        45⤵
                                                                                                        • Modifies Windows Firewall
                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:3388
                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                        netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                        45⤵
                                                                                                        • Modifies Windows Firewall
                                                                                                        PID:3476
                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                        45⤵
                                                                                                        • Modifies Windows Firewall
                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                        PID:4068
                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                        45⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        PID:2260
                                                                                                        • C:\Windows\server.exe
                                                                                                          "C:\Windows\server.exe"
                                                                                                          46⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Drops startup file
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • Drops file in Program Files directory
                                                                                                          • Drops file in Windows directory
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:3316
                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                            netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                            47⤵
                                                                                                            • Modifies Windows Firewall
                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                            PID:4064
                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                            netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                            47⤵
                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:2956
                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                            netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                            47⤵
                                                                                                            • Modifies Windows Firewall
                                                                                                            PID:1404
                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                            47⤵
                                                                                                            • Checks computer location settings
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in Windows directory
                                                                                                            PID:2256
                                                                                                            • C:\Windows\server.exe
                                                                                                              "C:\Windows\server.exe"
                                                                                                              48⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Drops startup file
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • Drops file in Program Files directory
                                                                                                              • Drops file in Windows directory
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:4052
                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                49⤵
                                                                                                                • Modifies Windows Firewall
                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                PID:4296
                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                                49⤵
                                                                                                                • Modifies Windows Firewall
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:1116
                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                49⤵
                                                                                                                • Modifies Windows Firewall
                                                                                                                PID:32
                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                49⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:4768
                                                                                                                • C:\Windows\server.exe
                                                                                                                  "C:\Windows\server.exe"
                                                                                                                  50⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Drops startup file
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Drops file in Program Files directory
                                                                                                                  • Drops file in Windows directory
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:60
                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                    51⤵
                                                                                                                    • Modifies Windows Firewall
                                                                                                                    PID:4840
                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                    netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                                    51⤵
                                                                                                                      PID:452
                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                      netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                      51⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:1408
                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                      51⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in Windows directory
                                                                                                                      PID:5044
                                                                                                                      • C:\Windows\server.exe
                                                                                                                        "C:\Windows\server.exe"
                                                                                                                        52⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Drops startup file
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • Drops file in Program Files directory
                                                                                                                        • Drops file in Windows directory
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        PID:1036
                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                          netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                          53⤵
                                                                                                                          • Modifies Windows Firewall
                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:2204
                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                          netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                                          53⤵
                                                                                                                          • Modifies Windows Firewall
                                                                                                                          PID:4240
                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                          netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                          53⤵
                                                                                                                          • Modifies Windows Firewall
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:1932
                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                          53⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in Windows directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:2880
                                                                                                                          • C:\Windows\server.exe
                                                                                                                            "C:\Windows\server.exe"
                                                                                                                            54⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • Drops file in Program Files directory
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:4752
                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                              netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                              55⤵
                                                                                                                              • Modifies Windows Firewall
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:4320
                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                              netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                                              55⤵
                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                              PID:4640
                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                              netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                              55⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:2276
                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                              55⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in Windows directory
                                                                                                                              PID:3480
                                                                                                                              • C:\Windows\server.exe
                                                                                                                                "C:\Windows\server.exe"
                                                                                                                                56⤵
                                                                                                                                • Checks computer location settings
                                                                                                                                • Drops startup file
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • Drops file in Program Files directory
                                                                                                                                • Drops file in Windows directory
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:4336
                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                  netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                  57⤵
                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:1448
                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                  netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                                                  57⤵
                                                                                                                                    PID:2324
                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                    57⤵
                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:4368
                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                    57⤵
                                                                                                                                    • Checks computer location settings
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in Windows directory
                                                                                                                                    PID:3160
                                                                                                                                    • C:\Windows\server.exe
                                                                                                                                      "C:\Windows\server.exe"
                                                                                                                                      58⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                      • Drops file in Windows directory
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3800
                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                        59⤵
                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                        PID:3016
                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                        netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                                                        59⤵
                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:5116
                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                        59⤵
                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                        PID:832
                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                        59⤵
                                                                                                                                        • Checks computer location settings
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Drops file in Windows directory
                                                                                                                                        PID:3988
                                                                                                                                        • C:\Windows\server.exe
                                                                                                                                          "C:\Windows\server.exe"
                                                                                                                                          60⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          • Drops startup file
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                          • Drops file in Windows directory
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:3932
                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                            netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                            61⤵
                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                            PID:3136
                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                            netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                                                            61⤵
                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                            PID:1976
                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                            netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                            61⤵
                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                            PID:4064
                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                            61⤵
                                                                                                                                            • Checks computer location settings
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:3088
                                                                                                                                            • C:\Windows\server.exe
                                                                                                                                              "C:\Windows\server.exe"
                                                                                                                                              62⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              • Drops startup file
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:3740
                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                                63⤵
                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:2136
                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                                                                63⤵
                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                PID:760
                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                                63⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:828
                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                63⤵
                                                                                                                                                • Checks computer location settings
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:4052
                                                                                                                                                • C:\Windows\server.exe
                                                                                                                                                  "C:\Windows\server.exe"
                                                                                                                                                  64⤵
                                                                                                                                                  • Checks computer location settings
                                                                                                                                                  • Drops startup file
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                  PID:4028
                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                                    65⤵
                                                                                                                                                      PID:2296
                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                      netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                                                                      65⤵
                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:1840
                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                      netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                                      65⤵
                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:436
                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                      65⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:452
                                                                                                                                                      • C:\Windows\server.exe
                                                                                                                                                        "C:\Windows\server.exe"
                                                                                                                                                        66⤵
                                                                                                                                                        • Checks computer location settings
                                                                                                                                                        • Drops startup file
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                        PID:4824
                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                          netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                                          67⤵
                                                                                                                                                            PID:1780
                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                            netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                                                                            67⤵
                                                                                                                                                              PID:2360
                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                              netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                                              67⤵
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:4068
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                              67⤵
                                                                                                                                                              • Checks computer location settings
                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                              PID:3684
                                                                                                                                                              • C:\Windows\server.exe
                                                                                                                                                                "C:\Windows\server.exe"
                                                                                                                                                                68⤵
                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                • Drops startup file
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                PID:1100
                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                  netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                                                  69⤵
                                                                                                                                                                    PID:3704
                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                    netsh firewall delete allowedprogram "C:\Windows\server.exe"
                                                                                                                                                                    69⤵
                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                    PID:1560
                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
                                                                                                                                                                    69⤵
                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                    PID:544
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                    69⤵
                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:2276

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

                            Filesize

                            496B

                            MD5

                            a25e0ec08ea716dcc1f709ad1e752d71

                            SHA1

                            64685efa79682636b020453e2444b3d472ed3181

                            SHA256

                            15254310d916b50af5775cf0df7e256a28242c41d6e429bc9e98709c162297f1

                            SHA512

                            2fe3e3dc28b0de7a6de5569799bdcc0eafea32043c23e56dc4f65b94fc7202dc08d87ad66311335406495377a4180070d5b7cc1b5d26bb40500068459c6346ae

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

                            Filesize

                            408B

                            MD5

                            42157868488d3ef98c00e3fa12f064be

                            SHA1

                            aad391be9ac3f6ce1ced49583690486a5f4186fb

                            SHA256

                            b9520170e84597186ba5cc223b9c2773f70d0cda088950bae2182e3b2237995c

                            SHA512

                            8f4a4bd63ceefc34158ea23f3a73dcc2848eeacdba8355d1251a96b4e0c18e2f3b0c4939be359f874f81fe4ee63283b8be43a70fe2dbaa2e64784333d10a2471

                          • C:\Users\Admin\AppData\Local\Temp\melt.txt

                            Filesize

                            21B

                            MD5

                            28e4dd4093f543ce9c85dc38111b8e4d

                            SHA1

                            8607d0131f30e6246088ae3e3aeb58b6405fb65e

                            SHA256

                            0944e1d01a6e4926eb610353fb63f4ec70c3cc91dd03a49f90a256b67da9c3d1

                            SHA512

                            10e4e647856e37ad280acf3b283095f73fd5ccb40bf38cfa2a7e0040970efc39c553f30d2b06da1c55004a6a02145db36d032356fdabc2f533a9df52052d7ea3

                          • C:\Users\Admin\AppData\Roaming\app

                            Filesize

                            5B

                            MD5

                            02b81b0cbe1faaa1fa62d5fc876ab443

                            SHA1

                            d473cfe21fb1f188689415b0bdd239688f8fddd9

                            SHA256

                            e7e9e2c247bc872bacce77661c78f001a17d70ee3130a9016a5818da9da00cdb

                            SHA512

                            592ab5b200d4c560951cb70288dc1b7a562f0cbfaee01ce03076b6934d537b88575c2e1e0fedcc05db95e6c224ca739923e7d74f9165e683f3fbad7bbf641784

                          • C:\Windows\server.exe

                            Filesize

                            92KB

                            MD5

                            50dc90e5deb892a3ce56a22ea460da30

                            SHA1

                            98bcb8f0077f0a053a0ef3de0f4db61af9788d06

                            SHA256

                            596d70406bbdb48846e0cf664fad89280c3db7ec1962f6ba81f94959068e23de

                            SHA512

                            5a0cd62538fbf998c0e7406b5832c897c09835e80de7cb078882640cd8e78d75f9a178392fe565c7786b0db831f0c4e4f9869b6d9ca8cb28596398fae03d02b2

                          • memory/1240-0-0x0000000074EC2000-0x0000000074EC3000-memory.dmp

                            Filesize

                            4KB

                          • memory/1240-1-0x0000000074EC0000-0x0000000075471000-memory.dmp

                            Filesize

                            5.7MB

                          • memory/1240-2-0x0000000074EC0000-0x0000000075471000-memory.dmp

                            Filesize

                            5.7MB

                          • memory/1240-13-0x0000000074EC0000-0x0000000075471000-memory.dmp

                            Filesize

                            5.7MB

                          • memory/2376-14-0x0000000074EC0000-0x0000000075471000-memory.dmp

                            Filesize

                            5.7MB

                          • memory/2376-15-0x0000000074EC0000-0x0000000075471000-memory.dmp

                            Filesize

                            5.7MB

                          • memory/2376-65-0x0000000074EC0000-0x0000000075471000-memory.dmp

                            Filesize

                            5.7MB