njrat | a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

joiner.exe
Size

93KB
MD5

ceabf00e91c6d219345af40a28da43e8
SHA1

1203c6455e46b4a7007dea71f81849d50e3e48c1
SHA256

a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f
SHA512

6098e888ebde819d137d9132d7f27dee52c9214c64f76aad6ddac713426ad62a10cf37c36d9bcd568156b5c83f43cad80cb4608705e1eea7cd220a00ca04707f
SSDEEP

768:AY3XiBD7O/pBcxYsbae6GIXb9pDXQzVMBwXCmXxrjEtCdnl2pi1Rz4Rk3B6sGd0F:PipOx6baIa9RtytjEwzGi1dDRmKVgS

Score

10^/10

njrat dock discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

dock

hakim32.ddns.net:2000

pool-tournaments.gl.at.ply.gg:7445

Mutex

13123c66ee9d74c7936482e0e7d9809f

Attributes

reg_key
13123c66ee9d74c7936482e0e7d9809f
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2528	netsh.exe
972	netsh.exe
1004	netsh.exe
2484	netsh.exe
1028	netsh.exe
1552	netsh.exe
1672	netsh.exe
2100	netsh.exe
2580	netsh.exe
2428	netsh.exe
2608	netsh.exe
1124	netsh.exe
2516	netsh.exe
928	netsh.exe
456	netsh.exe
2388	netsh.exe
2544	netsh.exe
2376	netsh.exe
2032	netsh.exe
1336	netsh.exe
2300	netsh.exe
1632	netsh.exe
1336	netsh.exe
1928	netsh.exe
3004	netsh.exe
2472	netsh.exe
2736	netsh.exe
2992	netsh.exe
1656	netsh.exe
2804	netsh.exe
1676	netsh.exe
2180	netsh.exe
1552	netsh.exe
2824	netsh.exe
2944	netsh.exe
1640	netsh.exe
2764	netsh.exe
2256	netsh.exe
2116	netsh.exe
1628	netsh.exe
3052	netsh.exe
2516	netsh.exe
584	netsh.exe
2440	netsh.exe
2448	netsh.exe
1976	netsh.exe
2076	netsh.exe
2028	netsh.exe
2788	netsh.exe
2600	netsh.exe
848	netsh.exe
972	netsh.exe
2748	netsh.exe
2176	netsh.exe
1272	netsh.exe
2336	netsh.exe
1704	netsh.exe
2720	netsh.exe
1948	netsh.exe
2844	netsh.exe
1488	netsh.exe
3012	netsh.exe
1868	netsh.exe
1552	netsh.exe

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe

Executes dropped EXE 64 IoCs

pid	Process
2396	server.exe
2776	svchost.exe
2792	server.exe
2276	svchost.exe
1912	server.exe
1664	svchost.exe
2176	server.exe
2612	svchost.exe
2832	server.exe
1932	svchost.exe
640	server.exe
1304	svchost.exe
1232	server.exe
1800	svchost.exe
1892	server.exe
2892	svchost.exe
3048	server.exe
1752	svchost.exe
1040	server.exe
2536	svchost.exe
684	server.exe
1664	svchost.exe
2300	server.exe
2420	svchost.exe
2732	server.exe
1840	svchost.exe
1336	server.exe
1044	svchost.exe
1440	server.exe
1524	svchost.exe
2568	server.exe
2444	svchost.exe
324	server.exe
2428	svchost.exe
1752	server.exe
1280	svchost.exe
2184	server.exe
1020	svchost.exe
2804	server.exe
2892	svchost.exe
2072	server.exe
2124	svchost.exe
2172	server.exe
2492	svchost.exe
1788	server.exe
2136	svchost.exe
2868	server.exe
584	svchost.exe
2080	server.exe
1676	svchost.exe
2076	server.exe
2688	svchost.exe
1528	server.exe
1664	svchost.exe
2876	server.exe
644	svchost.exe
2788	server.exe
2364	svchost.exe
3044	server.exe
1164	svchost.exe
1044	server.exe
1128	svchost.exe
2952	server.exe
2396	svchost.exe

Loads dropped DLL 64 IoCs

pid	Process
2116	joiner.exe
2116	joiner.exe
2396	server.exe
2396	server.exe
2776	svchost.exe
2776	svchost.exe
2792	server.exe
2792	server.exe
2276	svchost.exe
2276	svchost.exe
1912	server.exe
1912	server.exe
1664	svchost.exe
1664	svchost.exe
2176	server.exe
2176	server.exe
2612	svchost.exe
2612	svchost.exe
2832	server.exe
2832	server.exe
1932	svchost.exe
1932	svchost.exe
640	server.exe
640	server.exe
1304	svchost.exe
1304	svchost.exe
1232	server.exe
1232	server.exe
1800	svchost.exe
1800	svchost.exe
1892	server.exe
1892	server.exe
2892	svchost.exe
2892	svchost.exe
3048	server.exe
3048	server.exe
1752	svchost.exe
1752	svchost.exe
1040	server.exe
1040	server.exe
2536	svchost.exe
2536	svchost.exe
684	server.exe
684	server.exe
1664	svchost.exe
1664	svchost.exe
2300	server.exe
2300	server.exe
2420	svchost.exe
2420	svchost.exe
2732	server.exe
2732	server.exe
1840	svchost.exe
1840	svchost.exe
1336	server.exe
1336	server.exe
1044	svchost.exe
1044	svchost.exe
1440	server.exe
1440	server.exe
1524	svchost.exe
1524	svchost.exe
2568	server.exe
2568	server.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File created	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File created	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joiner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	server.exe
Token: SeDebugPrivilege	2792	server.exe
Token: SeDebugPrivilege	1912	server.exe
Token: SeDebugPrivilege	2176	server.exe
Token: SeDebugPrivilege	2832	server.exe
Token: SeDebugPrivilege	640	server.exe
Token: SeDebugPrivilege	1232	server.exe
Token: SeDebugPrivilege	1892	server.exe
Token: SeDebugPrivilege	3048	server.exe
Token: SeDebugPrivilege	1040	server.exe
Token: SeDebugPrivilege	684	server.exe
Token: SeDebugPrivilege	2300	server.exe
Token: SeDebugPrivilege	2732	server.exe
Token: SeDebugPrivilege	1336	server.exe
Token: SeDebugPrivilege	1440	server.exe
Token: SeDebugPrivilege	2568	server.exe
Token: SeDebugPrivilege	324	server.exe
Token: SeDebugPrivilege	1752	server.exe
Token: SeDebugPrivilege	2184	server.exe
Token: SeDebugPrivilege	2804	server.exe
Token: SeDebugPrivilege	2072	server.exe
Token: SeDebugPrivilege	2172	server.exe
Token: SeDebugPrivilege	1788	server.exe
Token: SeDebugPrivilege	2868	server.exe
Token: SeDebugPrivilege	2080	server.exe
Token: SeDebugPrivilege	2076	server.exe
Token: SeDebugPrivilege	1528	server.exe
Token: SeDebugPrivilege	2876	server.exe
Token: SeDebugPrivilege	2788	server.exe
Token: SeDebugPrivilege	3044	server.exe
Token: SeDebugPrivilege	1044	server.exe
Token: SeDebugPrivilege	2952	server.exe
Token: SeDebugPrivilege	2148	server.exe
Token: SeDebugPrivilege	1840	server.exe
Token: SeDebugPrivilege	2368	server.exe
Token: SeDebugPrivilege	1960	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2396	2116	joiner.exe	30
PID 2116 wrote to memory of 2396	2116	joiner.exe	30
PID 2116 wrote to memory of 2396	2116	joiner.exe	30
PID 2116 wrote to memory of 2396	2116	joiner.exe	30
PID 2396 wrote to memory of 2944	2396	server.exe	31
PID 2396 wrote to memory of 2944	2396	server.exe	31
PID 2396 wrote to memory of 2944	2396	server.exe	31
PID 2396 wrote to memory of 2944	2396	server.exe	31
PID 2396 wrote to memory of 1656	2396	server.exe	33
PID 2396 wrote to memory of 1656	2396	server.exe	33
PID 2396 wrote to memory of 1656	2396	server.exe	33
PID 2396 wrote to memory of 1656	2396	server.exe	33
PID 2396 wrote to memory of 2860	2396	server.exe	34
PID 2396 wrote to memory of 2860	2396	server.exe	34
PID 2396 wrote to memory of 2860	2396	server.exe	34
PID 2396 wrote to memory of 2860	2396	server.exe	34
PID 2396 wrote to memory of 2776	2396	server.exe	37
PID 2396 wrote to memory of 2776	2396	server.exe	37
PID 2396 wrote to memory of 2776	2396	server.exe	37
PID 2396 wrote to memory of 2776	2396	server.exe	37
PID 2776 wrote to memory of 2792	2776	svchost.exe	38
PID 2776 wrote to memory of 2792	2776	svchost.exe	38
PID 2776 wrote to memory of 2792	2776	svchost.exe	38
PID 2776 wrote to memory of 2792	2776	svchost.exe	38
PID 2792 wrote to memory of 1672	2792	server.exe	39
PID 2792 wrote to memory of 1672	2792	server.exe	39
PID 2792 wrote to memory of 1672	2792	server.exe	39
PID 2792 wrote to memory of 1672	2792	server.exe	39
PID 2792 wrote to memory of 396	2792	server.exe	41
PID 2792 wrote to memory of 396	2792	server.exe	41
PID 2792 wrote to memory of 396	2792	server.exe	41
PID 2792 wrote to memory of 396	2792	server.exe	41
PID 2792 wrote to memory of 2356	2792	server.exe	42
PID 2792 wrote to memory of 2356	2792	server.exe	42
PID 2792 wrote to memory of 2356	2792	server.exe	42
PID 2792 wrote to memory of 2356	2792	server.exe	42
PID 2792 wrote to memory of 2276	2792	server.exe	45
PID 2792 wrote to memory of 2276	2792	server.exe	45
PID 2792 wrote to memory of 2276	2792	server.exe	45
PID 2792 wrote to memory of 2276	2792	server.exe	45
PID 2276 wrote to memory of 1912	2276	svchost.exe	46
PID 2276 wrote to memory of 1912	2276	svchost.exe	46
PID 2276 wrote to memory of 1912	2276	svchost.exe	46
PID 2276 wrote to memory of 1912	2276	svchost.exe	46
PID 1912 wrote to memory of 2500	1912	server.exe	47
PID 1912 wrote to memory of 2500	1912	server.exe	47
PID 1912 wrote to memory of 2500	1912	server.exe	47
PID 1912 wrote to memory of 2500	1912	server.exe	47
PID 1912 wrote to memory of 772	1912	server.exe	49
PID 1912 wrote to memory of 772	1912	server.exe	49
PID 1912 wrote to memory of 772	1912	server.exe	49
PID 1912 wrote to memory of 772	1912	server.exe	49
PID 1912 wrote to memory of 1004	1912	server.exe	50
PID 1912 wrote to memory of 1004	1912	server.exe	50
PID 1912 wrote to memory of 1004	1912	server.exe	50
PID 1912 wrote to memory of 1004	1912	server.exe	50
PID 1912 wrote to memory of 1664	1912	server.exe	53
PID 1912 wrote to memory of 1664	1912	server.exe	53
PID 1912 wrote to memory of 1664	1912	server.exe	53
PID 1912 wrote to memory of 1664	1912	server.exe	53
PID 1664 wrote to memory of 2176	1664	svchost.exe	54
PID 1664 wrote to memory of 2176	1664	svchost.exe	54
PID 1664 wrote to memory of 2176	1664	svchost.exe	54
PID 1664 wrote to memory of 2176	1664	svchost.exe	54

C:\Users\Admin\AppData\Local\Temp\joiner.exe
"C:\Users\Admin\AppData\Local\Temp\joiner.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2944
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1656
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1672
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:396
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2356
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        8⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        9⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        9⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        10⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        11⤵
        Modifies Windows Firewall
        
        PID:2720
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        13⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1908
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        14⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        15⤵
        
        PID:456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        15⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        15⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        16⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        17⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        18⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        19⤵
        Modifies Windows Firewall
        
        PID:2764
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        20⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        
        PID:1552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        21⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        21⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        22⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        23⤵
        Modifies Windows Firewall
        
        PID:1976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        23⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        23⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        24⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        25⤵
        Modifies Windows Firewall
        
        PID:2580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        25⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        25⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        26⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3060
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        27⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        27⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        28⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        29⤵
        Modifies Windows Firewall
        
        PID:2600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2128
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        29⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        30⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        31⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        32⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        33⤵
        Modifies Windows Firewall
        
        PID:3004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        33⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        33⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        33⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        34⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        35⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        36⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        37⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        37⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2180
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        37⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        37⤵
        Executes dropped EXE
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        38⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        39⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2308
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        39⤵
        Modifies Windows Firewall
        
        PID:2032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        39⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        40⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        41⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        41⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1628
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        41⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        42⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        43⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        44⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        45⤵
        Modifies Windows Firewall
        
        PID:1336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        45⤵
        Modifies Windows Firewall
        
        PID:1948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        45⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        46⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        47⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        47⤵
        Modifies Windows Firewall
        
        PID:972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        47⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        47⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        48⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        49⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3052
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        49⤵
        
        PID:924
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        49⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        49⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        50⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        51⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        51⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        51⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        51⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        52⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        53⤵
        Modifies Windows Firewall
        
        PID:1552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        53⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        53⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        54⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        55⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        55⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        56⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        57⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        57⤵
        Modifies Windows Firewall
        
        PID:2804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        57⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        58⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        59⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        59⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        59⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        60⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        61⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        61⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        62⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        63⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        63⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        63⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        63⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        64⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        65⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        65⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        65⤵
        Modifies Windows Firewall
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        65⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        66⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        67⤵
        Modifies Windows Firewall
        
        PID:2516
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        67⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        67⤵
        Modifies Windows Firewall
        
        PID:584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        67⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        68⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        69⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        69⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        69⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        69⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        70⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        71⤵
        Modifies Windows Firewall
        
        PID:2100
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        71⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        71⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        72⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        73⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1956
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        73⤵
        Modifies Windows Firewall
        
        PID:2748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        73⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        74⤵
        
        PID:928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        75⤵
        Modifies Windows Firewall
        
        PID:2176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        75⤵
        Modifies Windows Firewall
        
        PID:1868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        75⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        75⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        76⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        77⤵
        Modifies Windows Firewall
        
        PID:1336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        77⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        77⤵
        Modifies Windows Firewall
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        77⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        78⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        79⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        79⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        79⤵
        Modifies Windows Firewall
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        79⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        80⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        81⤵
        Modifies Windows Firewall
        
        PID:2472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        81⤵
        Modifies Windows Firewall
        
        PID:1124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        81⤵
        Modifies Windows Firewall
        
        PID:972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        81⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        82⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        83⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        83⤵
        Modifies Windows Firewall
        
        PID:2544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        83⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        83⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        84⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        85⤵
        Modifies Windows Firewall
        
        PID:2076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        85⤵
        
        PID:600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        85⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        85⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        86⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        87⤵
        Modifies Windows Firewall
        
        PID:1272
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        87⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        87⤵
        Modifies Windows Firewall
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        87⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        88⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        89⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        89⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        89⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        89⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        90⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        91⤵
        Modifies Windows Firewall
        
        PID:2788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        91⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        91⤵
        Modifies Windows Firewall
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        91⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        92⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        93⤵
        Modifies Windows Firewall
        
        PID:1028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        93⤵
        Modifies Windows Firewall
        
        PID:1704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        93⤵
        Modifies Windows Firewall
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        93⤵
        
        PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-188559817470930416530488898-1057203455-748160707-995196095-13634310021906865048"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1499165750938201399355187178-1114589096-332905661991375945-19307377902024001268"
1⤵
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "162976610-109599901234411822006820207372813173-198721716520238145571479324751"
1⤵
PID:2308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1950169163895066949-4574222562279709901383687955-16424943611338028690-1686917292"
1⤵
PID:2376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-909017331-2091546118100971510516311601211752807499616131976-12208175771142387230"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1924155588754298273293445819992031407-118754222090655580012673499268501975"
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
44B

MD5
298802dff6aa26d4fb941c7ccf5c0849

SHA1
11e518ca3409f1863ebc2d3f1be9fb701bad52c0

SHA256
df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

SHA512
0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
02b81b0cbe1faaa1fa62d5fc876ab443

SHA1
d473cfe21fb1f188689415b0bdd239688f8fddd9

SHA256
e7e9e2c247bc872bacce77661c78f001a17d70ee3130a9016a5818da9da00cdb

SHA512
592ab5b200d4c560951cb70288dc1b7a562f0cbfaee01ce03076b6934d537b88575c2e1e0fedcc05db95e6c224ca739923e7d74f9165e683f3fbad7bbf641784

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
ceabf00e91c6d219345af40a28da43e8

SHA1
1203c6455e46b4a7007dea71f81849d50e3e48c1

SHA256
a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f

SHA512
6098e888ebde819d137d9132d7f27dee52c9214c64f76aad6ddac713426ad62a10cf37c36d9bcd568156b5c83f43cad80cb4608705e1eea7cd220a00ca04707f

Download Submit
memory/2116-0-0x00000000744E1000-0x00000000744E2000-memory.dmp

Filesize
4KB

Download
memory/2116-1-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-2-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-14-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2396-15-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2396-16-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2396-17-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2396-51-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download