a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

joiner.exe
Size

93KB
MD5

ceabf00e91c6d219345af40a28da43e8
SHA1

1203c6455e46b4a7007dea71f81849d50e3e48c1
SHA256

a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f
SHA512

6098e888ebde819d137d9132d7f27dee52c9214c64f76aad6ddac713426ad62a10cf37c36d9bcd568156b5c83f43cad80cb4608705e1eea7cd220a00ca04707f
SSDEEP

768:AY3XiBD7O/pBcxYsbae6GIXb9pDXQzVMBwXCmXxrjEtCdnl2pi1Rz4Rk3B6sGd0F:PipOx6baIa9RtytjEwzGi1dDRmKVgS

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4220	netsh.exe
3836	netsh.exe
4044	netsh.exe
2404	netsh.exe
1064	netsh.exe
4400	netsh.exe
2560	netsh.exe
2144	netsh.exe
3676	netsh.exe
4440	netsh.exe
1084	netsh.exe
2440	netsh.exe
1460	netsh.exe
3452	netsh.exe
1068	netsh.exe
3256	netsh.exe
4888	netsh.exe
728	netsh.exe
1228	netsh.exe
3004	netsh.exe
3532	netsh.exe
632	netsh.exe
2984	netsh.exe
4028	netsh.exe
1052	netsh.exe
2960	netsh.exe
4728	netsh.exe
320	netsh.exe
1812	netsh.exe
1408	netsh.exe
3516	netsh.exe
3500	netsh.exe
3980	netsh.exe
3032	netsh.exe
4892	netsh.exe
3004	netsh.exe
2680	netsh.exe
3568	netsh.exe
3568	netsh.exe
2980	netsh.exe
2980	netsh.exe
5100	netsh.exe
2180	netsh.exe
1168	netsh.exe
2052	netsh.exe
1856	netsh.exe
1680	netsh.exe
1584	netsh.exe
4440	netsh.exe
4372	netsh.exe
4092	netsh.exe
5088	netsh.exe
3532	netsh.exe
2376	netsh.exe
3392	netsh.exe
1924	netsh.exe
2452	netsh.exe
4500	netsh.exe
3164	netsh.exe
3324	netsh.exe
1588	netsh.exe
3144	netsh.exe
452	netsh.exe
4268	netsh.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	joiner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe

Executes dropped EXE 64 IoCs

pid	Process
5008	server.exe
4020	svchost.exe
1812	server.exe
4212	svchost.exe
1424	server.exe
4320	svchost.exe
1392	server.exe
3032	svchost.exe
4056	server.exe
1280	svchost.exe
2824	server.exe
4884	svchost.exe
3120	server.exe
2376	svchost.exe
4728	server.exe
3396	svchost.exe
3236	server.exe
4228	svchost.exe
452	server.exe
3676	svchost.exe
1912	server.exe
4944	svchost.exe
1220	server.exe
5016	svchost.exe
1940	server.exe
4324	svchost.exe
3704	server.exe
2668	svchost.exe
4796	server.exe
1776	svchost.exe
3280	server.exe
4716	svchost.exe
1168	server.exe
2040	svchost.exe
624	server.exe
4380	svchost.exe
1588	server.exe
3212	svchost.exe
2552	server.exe
3512	svchost.exe
2224	server.exe
1048	svchost.exe
3476	server.exe
3264	svchost.exe
3696	server.exe
1404	svchost.exe
908	server.exe
2704	svchost.exe
1872	server.exe
924	svchost.exe
4544	server.exe
1228	svchost.exe
4024	server.exe
928	svchost.exe
2060	server.exe
2552	svchost.exe
4304	server.exe
728	svchost.exe
4956	server.exe
3476	svchost.exe
4964	server.exe
2968	svchost.exe
3768	server.exe
908	svchost.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in System32 directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File created	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File created	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe
5008	server.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	server.exe
Token: SeDebugPrivilege	1812	server.exe
Token: SeDebugPrivilege	1424	server.exe
Token: SeDebugPrivilege	1392	server.exe
Token: SeDebugPrivilege	4056	server.exe
Token: SeDebugPrivilege	2824	server.exe
Token: SeDebugPrivilege	3120	server.exe
Token: SeDebugPrivilege	4728	server.exe
Token: SeDebugPrivilege	3236	server.exe
Token: SeDebugPrivilege	452	server.exe
Token: SeDebugPrivilege	1912	server.exe
Token: SeDebugPrivilege	1220	server.exe
Token: SeDebugPrivilege	1940	server.exe
Token: SeDebugPrivilege	3704	server.exe
Token: SeDebugPrivilege	4796	server.exe
Token: SeDebugPrivilege	3280	server.exe
Token: SeDebugPrivilege	1168	server.exe
Token: SeDebugPrivilege	624	server.exe
Token: SeDebugPrivilege	1588	server.exe
Token: SeDebugPrivilege	2552	server.exe
Token: SeDebugPrivilege	2224	server.exe
Token: SeDebugPrivilege	3476	server.exe
Token: SeDebugPrivilege	3696	server.exe
Token: SeDebugPrivilege	908	server.exe
Token: SeDebugPrivilege	1872	server.exe
Token: SeDebugPrivilege	4544	server.exe
Token: SeDebugPrivilege	4024	server.exe
Token: SeDebugPrivilege	2060	server.exe
Token: SeDebugPrivilege	4304	server.exe
Token: SeDebugPrivilege	4956	server.exe
Token: SeDebugPrivilege	4964	server.exe
Token: SeDebugPrivilege	3768	server.exe
Token: SeDebugPrivilege	4504	server.exe
Token: SeDebugPrivilege	4312	server.exe
Token: SeDebugPrivilege	2712	server.exe
Token: SeDebugPrivilege	5024	server.exe
Token: SeDebugPrivilege	2992	server.exe
Token: SeDebugPrivilege	388	server.exe
Token: SeDebugPrivilege	1080	server.exe
Token: SeDebugPrivilege	912	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 5008	4564	joiner.exe	82
PID 4564 wrote to memory of 5008	4564	joiner.exe	82
PID 4564 wrote to memory of 5008	4564	joiner.exe	82
PID 5008 wrote to memory of 4220	5008	server.exe	83
PID 5008 wrote to memory of 4220	5008	server.exe	83
PID 5008 wrote to memory of 4220	5008	server.exe	83
PID 5008 wrote to memory of 2984	5008	server.exe	85
PID 5008 wrote to memory of 2984	5008	server.exe	85
PID 5008 wrote to memory of 2984	5008	server.exe	85
PID 5008 wrote to memory of 1408	5008	server.exe	86
PID 5008 wrote to memory of 1408	5008	server.exe	86
PID 5008 wrote to memory of 1408	5008	server.exe	86
PID 5008 wrote to memory of 4020	5008	server.exe	89
PID 5008 wrote to memory of 4020	5008	server.exe	89
PID 5008 wrote to memory of 4020	5008	server.exe	89
PID 4020 wrote to memory of 1812	4020	svchost.exe	90
PID 4020 wrote to memory of 1812	4020	svchost.exe	90
PID 4020 wrote to memory of 1812	4020	svchost.exe	90
PID 1812 wrote to memory of 3980	1812	server.exe	91
PID 1812 wrote to memory of 3980	1812	server.exe	91
PID 1812 wrote to memory of 3980	1812	server.exe	91
PID 1812 wrote to memory of 2144	1812	server.exe	93
PID 1812 wrote to memory of 2144	1812	server.exe	93
PID 1812 wrote to memory of 2144	1812	server.exe	93
PID 1812 wrote to memory of 5088	1812	server.exe	94
PID 1812 wrote to memory of 5088	1812	server.exe	94
PID 1812 wrote to memory of 5088	1812	server.exe	94
PID 1812 wrote to memory of 4212	1812	server.exe	97
PID 1812 wrote to memory of 4212	1812	server.exe	97
PID 1812 wrote to memory of 4212	1812	server.exe	97
PID 4212 wrote to memory of 1424	4212	svchost.exe	100
PID 4212 wrote to memory of 1424	4212	svchost.exe	100
PID 4212 wrote to memory of 1424	4212	svchost.exe	100
PID 1424 wrote to memory of 3376	1424	server.exe	103
PID 1424 wrote to memory of 3376	1424	server.exe	103
PID 1424 wrote to memory of 3376	1424	server.exe	103
PID 1424 wrote to memory of 3532	1424	server.exe	105
PID 1424 wrote to memory of 3532	1424	server.exe	105
PID 1424 wrote to memory of 3532	1424	server.exe	105
PID 1424 wrote to memory of 4884	1424	server.exe	106
PID 1424 wrote to memory of 4884	1424	server.exe	106
PID 1424 wrote to memory of 4884	1424	server.exe	106
PID 1424 wrote to memory of 4320	1424	server.exe	109
PID 1424 wrote to memory of 4320	1424	server.exe	109
PID 1424 wrote to memory of 4320	1424	server.exe	109
PID 4320 wrote to memory of 1392	4320	svchost.exe	111
PID 4320 wrote to memory of 1392	4320	svchost.exe	111
PID 4320 wrote to memory of 1392	4320	svchost.exe	111
PID 1392 wrote to memory of 2180	1392	server.exe	112
PID 1392 wrote to memory of 2180	1392	server.exe	112
PID 1392 wrote to memory of 2180	1392	server.exe	112
PID 1392 wrote to memory of 3676	1392	server.exe	114
PID 1392 wrote to memory of 3676	1392	server.exe	114
PID 1392 wrote to memory of 3676	1392	server.exe	114
PID 1392 wrote to memory of 3836	1392	server.exe	115
PID 1392 wrote to memory of 3836	1392	server.exe	115
PID 1392 wrote to memory of 3836	1392	server.exe	115
PID 1392 wrote to memory of 3032	1392	server.exe	118
PID 1392 wrote to memory of 3032	1392	server.exe	118
PID 1392 wrote to memory of 3032	1392	server.exe	118
PID 3032 wrote to memory of 4056	3032	svchost.exe	121
PID 3032 wrote to memory of 4056	3032	svchost.exe	121
PID 3032 wrote to memory of 4056	3032	svchost.exe	121
PID 4056 wrote to memory of 4028	4056	server.exe	122

C:\Users\Admin\AppData\Local\Temp\joiner.exe
"C:\Users\Admin\AppData\Local\Temp\joiner.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4220
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2984
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    PID:1408
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:3980
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2144
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5088
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        7⤵
        Modifies Windows Firewall
        
        PID:3532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        7⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        8⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3676
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        10⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        11⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        11⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        12⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        13⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        13⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        13⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        14⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        15⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        15⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        15⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        
        PID:4044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        17⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3236
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        
        PID:1856
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        19⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        20⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        21⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        22⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        23⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        23⤵
        Modifies Windows Firewall
        
        PID:2376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        23⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        24⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        25⤵
        Modifies Windows Firewall
        
        PID:4500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        26⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        27⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1168
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        27⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        28⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        29⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:820
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        29⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        30⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        31⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        31⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        31⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        31⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        32⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        33⤵
        Modifies Windows Firewall
        
        PID:1680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        33⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        33⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        34⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        35⤵
        Modifies Windows Firewall
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        35⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        35⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        36⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        37⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        37⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        37⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        38⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        39⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        39⤵
        Modifies Windows Firewall
        
        PID:3392
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        39⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        40⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        41⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        41⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        41⤵
        Modifies Windows Firewall
        
        PID:1064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        42⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        43⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        43⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        43⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        44⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        45⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        45⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        46⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        47⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3256
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        47⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        47⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        47⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        48⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        49⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        49⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        50⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        51⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        51⤵
        Modifies Windows Firewall
        
        PID:2440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        51⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        52⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        53⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        53⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        54⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        55⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4400
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        55⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        55⤵
        Modifies Windows Firewall
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        56⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        57⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        57⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        57⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        59⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        59⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        59⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        60⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        61⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1400
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        61⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2052
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        61⤵
        Modifies Windows Firewall
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        62⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        63⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        63⤵
        Modifies Windows Firewall
        
        PID:4888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        64⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        65⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        65⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        65⤵
        Modifies Windows Firewall
        
        PID:3532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        66⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        67⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1052
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        67⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        67⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        67⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        68⤵
        Checks computer location settings
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        69⤵
        Modifies Windows Firewall
        
        PID:728
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        69⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        69⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        69⤵
        Checks computer location settings
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        70⤵
        Checks computer location settings
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        71⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        71⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        71⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        71⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        72⤵
        Checks computer location settings
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        73⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        73⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        73⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        73⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        74⤵
        Checks computer location settings
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        75⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2560
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        75⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        75⤵
        Modifies Windows Firewall
        
        PID:4440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        75⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        76⤵
        Checks computer location settings
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        77⤵
        Modifies Windows Firewall
        
        PID:4728
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        77⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        77⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        77⤵
        Checks computer location settings
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        78⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        79⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        79⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        79⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        79⤵
        Checks computer location settings
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        80⤵
        Checks computer location settings
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        81⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4244
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        81⤵
        Checks computer location settings
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        82⤵
        
        PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
44B

MD5
298802dff6aa26d4fb941c7ccf5c0849

SHA1
11e518ca3409f1863ebc2d3f1be9fb701bad52c0

SHA256
df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

SHA512
0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
ceabf00e91c6d219345af40a28da43e8

SHA1
1203c6455e46b4a7007dea71f81849d50e3e48c1

SHA256
a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f

SHA512
6098e888ebde819d137d9132d7f27dee52c9214c64f76aad6ddac713426ad62a10cf37c36d9bcd568156b5c83f43cad80cb4608705e1eea7cd220a00ca04707f

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
02b81b0cbe1faaa1fa62d5fc876ab443

SHA1
d473cfe21fb1f188689415b0bdd239688f8fddd9

SHA256
e7e9e2c247bc872bacce77661c78f001a17d70ee3130a9016a5818da9da00cdb

SHA512
592ab5b200d4c560951cb70288dc1b7a562f0cbfaee01ce03076b6934d537b88575c2e1e0fedcc05db95e6c224ca739923e7d74f9165e683f3fbad7bbf641784

Download Submit
memory/4564-0-0x00000000754D2000-0x00000000754D3000-memory.dmp

Filesize
4KB

Download
memory/4564-1-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4564-2-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4564-13-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5008-14-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5008-15-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5008-48-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download