Malware Analysis Report

2025-03-15 06:23

Sample ID 240930-c18xmstcpj
Target shakeyodick.exe
SHA256 615cce712299d6ba862286d4a7ea94f765b44f2f05b5d4f02046beba8b3791a3
Tags
njrat hacked discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

615cce712299d6ba862286d4a7ea94f765b44f2f05b5d4f02046beba8b3791a3

Threat Level: Known bad

The file shakeyodick.exe was found to be: Known bad.

Malicious Activity Summary

njrat hacked discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Njrat family

Disables Task Manager via registry modification

Modifies Windows Firewall

Loads dropped DLL

Drops startup file

Executes dropped EXE

Checks computer location settings

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-30 02:33

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-30 02:33

Reported

2024-09-30 02:36

Platform

win7-20240903-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2204 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2204 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2204 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2008 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2008 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2008 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2008 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2008 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2492 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2492 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2492 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2492 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1956 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1956 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1956 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1956 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2144 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2144 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2144 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2144 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2748 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2748 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2748 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2748 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2248 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2248 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2248 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2248 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe

Processes

C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe

"C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

N/A

Files

memory/2204-0-0x0000000074A31000-0x0000000074A32000-memory.dmp

memory/2204-1-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2204-2-0x0000000074A30000-0x0000000074FDB000-memory.dmp

\Users\Admin\AppData\Local\Temp\server.exe

MD5 a535dad10d6cd4f4c2511f63fb158aeb
SHA1 cd7be9d3482a016e0f72c5ba387f33a96294641a
SHA256 615cce712299d6ba862286d4a7ea94f765b44f2f05b5d4f02046beba8b3791a3
SHA512 16037d0cbafe06314534cb17f3e72b19f28acfa1828ac66949d162e046b92b61892d66322c24a57859657dc587c8f6bacaa7c13c73e89d721b6ab966c0b13f89

memory/2008-15-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2204-14-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2008-16-0x0000000074A30000-0x0000000074FDB000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 b66e20886f9675fe4dbf430ea2d0bf8d
SHA1 2e676da72201e6e4482e00b300511900c6aee5a0
SHA256 899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414
SHA512 f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870

memory/2008-30-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2008-68-0x0000000074A30000-0x0000000074FDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\melt.txt

MD5 298802dff6aa26d4fb941c7ccf5c0849
SHA1 11e518ca3409f1863ebc2d3f1be9fb701bad52c0
SHA256 df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d
SHA512 0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-30 02:33

Reported

2024-09-30 02:36

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe"

Signatures

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e3e23c0cc43f33b4a1afb08205fb244Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4840 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4840 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4840 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2368 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2368 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2368 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2368 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2368 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2368 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2368 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2368 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2368 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2368 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2368 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2368 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 4404 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4404 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4404 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2704 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2704 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 2704 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 3152 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 3152 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 3152 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4516 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 4516 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 4516 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 4516 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 4516 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 4516 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 4516 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 4516 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 4516 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 4516 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 4516 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 4516 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 212 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 212 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 212 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 744 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 744 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 744 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 744 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 744 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 744 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 744 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 744 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 744 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 744 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 744 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 744 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
PID 1924 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1924 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1924 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4344 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe

"C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4840-0-0x0000000074AD2000-0x0000000074AD3000-memory.dmp

memory/4840-1-0x0000000074AD0000-0x0000000075081000-memory.dmp

memory/4840-2-0x0000000074AD0000-0x0000000075081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 a535dad10d6cd4f4c2511f63fb158aeb
SHA1 cd7be9d3482a016e0f72c5ba387f33a96294641a
SHA256 615cce712299d6ba862286d4a7ea94f765b44f2f05b5d4f02046beba8b3791a3
SHA512 16037d0cbafe06314534cb17f3e72b19f28acfa1828ac66949d162e046b92b61892d66322c24a57859657dc587c8f6bacaa7c13c73e89d721b6ab966c0b13f89

memory/2368-14-0x0000000074AD0000-0x0000000075081000-memory.dmp

memory/4840-13-0x0000000074AD0000-0x0000000075081000-memory.dmp

memory/2368-15-0x0000000074AD0000-0x0000000075081000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 b66e20886f9675fe4dbf430ea2d0bf8d
SHA1 2e676da72201e6e4482e00b300511900c6aee5a0
SHA256 899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414
SHA512 f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870

memory/2368-29-0x0000000074AD0000-0x0000000075081000-memory.dmp

memory/2368-66-0x0000000074AD0000-0x0000000075081000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

MD5 a4467dea22bfd7e0083d680c571f5e7c
SHA1 59682ca656f04dd57f7ef4552b96f71d73196ea2
SHA256 d165b248678c73e289a7d4a8aa74acc5c09408e58b8f2abd668013ca12c00cc4
SHA512 73d25a179994c16b2b3a357e8b068ebf415418033cd601d7084b3a44d822cb99c33c396c9a27ad6fa2066748032e21f09ce89461bc3180ec071d2d64e68ad790

C:\Users\Admin\AppData\Local\Temp\melt.txt

MD5 298802dff6aa26d4fb941c7ccf5c0849
SHA1 11e518ca3409f1863ebc2d3f1be9fb701bad52c0
SHA256 df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d
SHA512 0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

MD5 661cab77d3b907e8057f2e689e995af3
SHA1 5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c
SHA256 8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2
SHA512 2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67