Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 04:06
Behavioral task
behavioral1
Sample
984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe
Resource
win10v2004-20241007-en
General
-
Target
984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe
-
Size
93KB
-
MD5
173883b31d172e5140f98fd0e927ff10
-
SHA1
1e477ebc749e1ef65c820cfb959d96ffc058b587
-
SHA256
984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08
-
SHA512
01d262922177e746898cfdf9fee9d7b85a273ff43d445cf40f5ee989b51a08bfe71eb270b501a164192565666e4aaef701cbf6594e89c152d9acc43ca881c56a
-
SSDEEP
1536:XFJGER1tMnnwlOU5oTRKwjEwzGi1dDsKngS:XFJMnnwlOUWT0hi1dzg
Malware Config
Extracted
njrat
0.7d
dock
hakim32.ddns.net:2000
127.0.0.1:555
c772fa1f7fc98d866443249d79c0b299
-
reg_key
c772fa1f7fc98d866443249d79c0b299
-
splitter
|'|'|
Signatures
-
Njrat family
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 64 IoCs
pid Process 2972 netsh.exe 2724 netsh.exe 1436 netsh.exe 2020 netsh.exe 3048 netsh.exe 2872 netsh.exe 2096 netsh.exe 2292 netsh.exe 1560 netsh.exe 2040 netsh.exe 2280 netsh.exe 2220 netsh.exe 2772 netsh.exe 2900 netsh.exe 2444 netsh.exe 2732 netsh.exe 2060 netsh.exe 2684 netsh.exe 1000 netsh.exe 1852 netsh.exe 2228 netsh.exe 2284 netsh.exe 1564 netsh.exe 2420 netsh.exe 2208 netsh.exe 568 netsh.exe 968 netsh.exe 2148 netsh.exe 3012 netsh.exe 1504 netsh.exe 2244 netsh.exe 2464 netsh.exe 2760 netsh.exe 2224 netsh.exe 1764 netsh.exe 2272 netsh.exe 352 netsh.exe 1104 netsh.exe 3060 netsh.exe 2192 netsh.exe 884 netsh.exe 1576 netsh.exe 1592 netsh.exe 1684 netsh.exe 2988 netsh.exe 2856 netsh.exe 1600 netsh.exe 2428 netsh.exe 392 netsh.exe 2244 netsh.exe 1208 netsh.exe 2064 netsh.exe 1516 netsh.exe 2724 netsh.exe 1016 netsh.exe 2072 netsh.exe 2796 netsh.exe 480 netsh.exe 556 netsh.exe 2908 netsh.exe 2932 netsh.exe 908 netsh.exe 2380 netsh.exe 2920 netsh.exe -
Drops startup file 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe server.exe -
Executes dropped EXE 64 IoCs
pid Process 1648 server.exe 2940 svchost.exe 2792 server.exe 1636 svchost.exe 852 server.exe 2496 svchost.exe 2404 server.exe 1788 svchost.exe 2584 server.exe 2928 svchost.exe 2788 server.exe 1636 svchost.exe 2044 server.exe 1076 svchost.exe 2892 server.exe 2816 svchost.exe 2412 server.exe 2584 svchost.exe 1688 server.exe 2512 svchost.exe 1432 server.exe 996 svchost.exe 2644 server.exe 1648 svchost.exe 2188 server.exe 2940 svchost.exe 2020 server.exe 1688 svchost.exe 976 server.exe 1808 svchost.exe 708 server.exe 2900 svchost.exe 2724 server.exe 2776 svchost.exe 3052 server.exe 672 svchost.exe 1792 server.exe 2696 svchost.exe 640 server.exe 1820 svchost.exe 1648 server.exe 2724 svchost.exe 2580 server.exe 3052 svchost.exe 1688 server.exe 2044 svchost.exe 1604 server.exe 1980 svchost.exe 2028 server.exe 1788 svchost.exe 2776 server.exe 1056 svchost.exe 956 server.exe 1704 svchost.exe 996 server.exe 2812 svchost.exe 2636 server.exe 2944 svchost.exe 1976 server.exe 848 svchost.exe 2192 server.exe 2512 svchost.exe 352 server.exe 2772 svchost.exe -
Loads dropped DLL 64 IoCs
pid Process 1444 984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe 1444 984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe 1648 server.exe 1648 server.exe 2940 svchost.exe 2940 svchost.exe 2792 server.exe 2792 server.exe 1636 svchost.exe 1636 svchost.exe 852 server.exe 852 server.exe 2496 svchost.exe 2496 svchost.exe 2404 server.exe 2404 server.exe 1788 svchost.exe 1788 svchost.exe 2584 server.exe 2584 server.exe 2928 svchost.exe 2928 svchost.exe 2788 server.exe 2788 server.exe 1636 svchost.exe 1636 svchost.exe 2044 server.exe 2044 server.exe 1076 svchost.exe 1076 svchost.exe 2892 server.exe 2892 server.exe 2816 svchost.exe 2816 svchost.exe 2412 server.exe 2412 server.exe 2584 svchost.exe 2584 svchost.exe 1688 server.exe 1688 server.exe 2512 svchost.exe 2512 svchost.exe 1432 server.exe 1432 server.exe 996 svchost.exe 996 svchost.exe 2644 server.exe 2644 server.exe 1648 svchost.exe 1648 svchost.exe 2188 server.exe 2188 server.exe 2940 svchost.exe 2940 svchost.exe 2020 server.exe 2020 server.exe 1688 svchost.exe 1688 svchost.exe 976 server.exe 976 server.exe 1808 svchost.exe 1808 svchost.exe 708 server.exe 708 server.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe -
Drops file in System32 directory 54 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File created C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe File opened for modification C:\Windows\SysWOW64\Dock.exe server.exe -
Drops file in Program Files directory 54 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File created C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe File opened for modification C:\Program Files (x86)\Dock.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe 1648 server.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeDebugPrivilege 1648 server.exe Token: SeDebugPrivilege 2792 server.exe Token: SeDebugPrivilege 852 server.exe Token: SeDebugPrivilege 2404 server.exe Token: SeDebugPrivilege 2584 server.exe Token: SeDebugPrivilege 2788 server.exe Token: SeDebugPrivilege 2044 server.exe Token: SeDebugPrivilege 2892 server.exe Token: SeDebugPrivilege 2412 server.exe Token: SeDebugPrivilege 1688 server.exe Token: SeDebugPrivilege 1432 server.exe Token: SeDebugPrivilege 2644 server.exe Token: SeDebugPrivilege 2188 server.exe Token: SeDebugPrivilege 2020 server.exe Token: SeDebugPrivilege 976 server.exe Token: SeDebugPrivilege 708 server.exe Token: SeDebugPrivilege 2724 server.exe Token: SeDebugPrivilege 3052 server.exe Token: SeDebugPrivilege 1792 server.exe Token: SeDebugPrivilege 640 server.exe Token: SeDebugPrivilege 1648 server.exe Token: SeDebugPrivilege 2580 server.exe Token: SeDebugPrivilege 1688 server.exe Token: SeDebugPrivilege 1604 server.exe Token: SeDebugPrivilege 2028 server.exe Token: SeDebugPrivilege 2776 server.exe Token: SeDebugPrivilege 956 server.exe Token: SeDebugPrivilege 996 server.exe Token: SeDebugPrivilege 2636 server.exe Token: SeDebugPrivilege 1976 server.exe Token: SeDebugPrivilege 2192 server.exe Token: SeDebugPrivilege 352 server.exe Token: SeDebugPrivilege 2276 server.exe Token: SeDebugPrivilege 3056 server.exe Token: SeDebugPrivilege 3048 server.exe Token: SeDebugPrivilege 1808 server.exe Token: SeDebugPrivilege 2728 server.exe Token: SeDebugPrivilege 3016 server.exe Token: SeDebugPrivilege 1632 server.exe Token: SeDebugPrivilege 1792 server.exe Token: SeDebugPrivilege 2716 server.exe Token: SeDebugPrivilege 2256 server.exe Token: SeDebugPrivilege 1360 server.exe Token: SeDebugPrivilege 2836 server.exe Token: SeDebugPrivilege 2736 server.exe Token: SeDebugPrivilege 700 server.exe Token: SeDebugPrivilege 2616 server.exe Token: SeDebugPrivilege 568 server.exe Token: SeDebugPrivilege 2380 server.exe Token: SeDebugPrivilege 2652 server.exe Token: SeDebugPrivilege 2148 server.exe Token: SeDebugPrivilege 2668 server.exe Token: SeDebugPrivilege 552 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1444 wrote to memory of 1648 1444 984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe 30 PID 1444 wrote to memory of 1648 1444 984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe 30 PID 1444 wrote to memory of 1648 1444 984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe 30 PID 1444 wrote to memory of 1648 1444 984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe 30 PID 1648 wrote to memory of 2872 1648 server.exe 31 PID 1648 wrote to memory of 2872 1648 server.exe 31 PID 1648 wrote to memory of 2872 1648 server.exe 31 PID 1648 wrote to memory of 2872 1648 server.exe 31 PID 1648 wrote to memory of 3056 1648 server.exe 33 PID 1648 wrote to memory of 3056 1648 server.exe 33 PID 1648 wrote to memory of 3056 1648 server.exe 33 PID 1648 wrote to memory of 3056 1648 server.exe 33 PID 1648 wrote to memory of 3060 1648 server.exe 34 PID 1648 wrote to memory of 3060 1648 server.exe 34 PID 1648 wrote to memory of 3060 1648 server.exe 34 PID 1648 wrote to memory of 3060 1648 server.exe 34 PID 1648 wrote to memory of 2940 1648 server.exe 37 PID 1648 wrote to memory of 2940 1648 server.exe 37 PID 1648 wrote to memory of 2940 1648 server.exe 37 PID 1648 wrote to memory of 2940 1648 server.exe 37 PID 2940 wrote to memory of 2792 2940 svchost.exe 38 PID 2940 wrote to memory of 2792 2940 svchost.exe 38 PID 2940 wrote to memory of 2792 2940 svchost.exe 38 PID 2940 wrote to memory of 2792 2940 svchost.exe 38 PID 2792 wrote to memory of 1564 2792 server.exe 39 PID 2792 wrote to memory of 1564 2792 server.exe 39 PID 2792 wrote to memory of 1564 2792 server.exe 39 PID 2792 wrote to memory of 1564 2792 server.exe 39 PID 2792 wrote to memory of 1036 2792 server.exe 41 PID 2792 wrote to memory of 1036 2792 server.exe 41 PID 2792 wrote to memory of 1036 2792 server.exe 41 PID 2792 wrote to memory of 1036 2792 server.exe 41 PID 2792 wrote to memory of 2236 2792 server.exe 42 PID 2792 wrote to memory of 2236 2792 server.exe 42 PID 2792 wrote to memory of 2236 2792 server.exe 42 PID 2792 wrote to memory of 2236 2792 server.exe 42 PID 2792 wrote to memory of 1636 2792 server.exe 45 PID 2792 wrote to memory of 1636 2792 server.exe 45 PID 2792 wrote to memory of 1636 2792 server.exe 45 PID 2792 wrote to memory of 1636 2792 server.exe 45 PID 1636 wrote to memory of 852 1636 svchost.exe 46 PID 1636 wrote to memory of 852 1636 svchost.exe 46 PID 1636 wrote to memory of 852 1636 svchost.exe 46 PID 1636 wrote to memory of 852 1636 svchost.exe 46 PID 852 wrote to memory of 1516 852 server.exe 47 PID 852 wrote to memory of 1516 852 server.exe 47 PID 852 wrote to memory of 1516 852 server.exe 47 PID 852 wrote to memory of 1516 852 server.exe 47 PID 852 wrote to memory of 1852 852 server.exe 49 PID 852 wrote to memory of 1852 852 server.exe 49 PID 852 wrote to memory of 1852 852 server.exe 49 PID 852 wrote to memory of 1852 852 server.exe 49 PID 852 wrote to memory of 2032 852 server.exe 50 PID 852 wrote to memory of 2032 852 server.exe 50 PID 852 wrote to memory of 2032 852 server.exe 50 PID 852 wrote to memory of 2032 852 server.exe 50 PID 852 wrote to memory of 2496 852 server.exe 53 PID 852 wrote to memory of 2496 852 server.exe 53 PID 852 wrote to memory of 2496 852 server.exe 53 PID 852 wrote to memory of 2496 852 server.exe 53 PID 2496 wrote to memory of 2404 2496 svchost.exe 54 PID 2496 wrote to memory of 2404 2496 svchost.exe 54 PID 2496 wrote to memory of 2404 2496 svchost.exe 54 PID 2496 wrote to memory of 2404 2496 svchost.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe"C:\Users\Admin\AppData\Local\Temp\984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2872
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3056
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3060
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1564
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"5⤵PID:1036
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE7⤵
- Modifies Windows Firewall
PID:1516
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"7⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1852
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE7⤵PID:2032
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"8⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2420
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"9⤵
- Modifies Windows Firewall
PID:2724
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"10⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE11⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"11⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2020
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE11⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2904
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"12⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE13⤵
- Modifies Windows Firewall
PID:2192
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"13⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2220
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE13⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2208
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"14⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE15⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1000
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"15⤵PID:1736
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE15⤵
- Modifies Windows Firewall
PID:2464
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"16⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2892 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE17⤵
- Modifies Windows Firewall
PID:2900
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"17⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1600
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE17⤵PID:2420
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE19⤵
- Modifies Windows Firewall
PID:2760
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"19⤵
- System Location Discovery: System Language Discovery
PID:1660
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE19⤵PID:1712
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"20⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE21⤵PID:3044
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"21⤵
- Modifies Windows Firewall
PID:568
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE21⤵PID:2072
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"22⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE23⤵
- System Location Discovery: System Language Discovery
PID:1016
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"23⤵PID:2476
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE23⤵
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"24⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE25⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2612
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"25⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2392
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE25⤵PID:2076
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"26⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE27⤵PID:2652
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"27⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE27⤵
- Modifies Windows Firewall
PID:2224
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"28⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE29⤵PID:2272
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"29⤵
- System Location Discovery: System Language Discovery
PID:1796
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE29⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1860
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"30⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:976 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE31⤵PID:1512
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"31⤵
- Modifies Windows Firewall
PID:2040
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE31⤵PID:2204
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"32⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:708 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE33⤵
- Modifies Windows Firewall
PID:884
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"33⤵
- Modifies Windows Firewall
PID:2732
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE33⤵
- System Location Discovery: System Language Discovery
PID:2636
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"33⤵
- Executes dropped EXE
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"34⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE35⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:480
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"35⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2872
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE35⤵
- System Location Discovery: System Language Discovery
PID:2280
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"35⤵
- Executes dropped EXE
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"36⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE37⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:968
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"37⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3048
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE37⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1764
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"37⤵
- Executes dropped EXE
PID:672 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"38⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE39⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"39⤵PID:2960
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE39⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2292
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"40⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE41⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2640
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"41⤵
- Modifies Windows Firewall
PID:2060
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE41⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2744
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"41⤵
- Executes dropped EXE
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"42⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE43⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1844
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"43⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1976
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE43⤵
- System Location Discovery: System Language Discovery
PID:1172
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"43⤵
- Executes dropped EXE
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE45⤵PID:972
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"45⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2172
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE45⤵
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"45⤵
- Executes dropped EXE
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"46⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE47⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:1016
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"47⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:556
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE47⤵PID:344
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"47⤵
- Executes dropped EXE
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"48⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE49⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"49⤵PID:2868
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE49⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2980
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"49⤵
- Executes dropped EXE
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"50⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE51⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2756
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"51⤵PID:552
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE51⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2872
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"52⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE53⤵PID:108
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"53⤵PID:2092
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE53⤵
- Modifies Windows Firewall
PID:2428
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"54⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE55⤵PID:2512
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"55⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2328
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE55⤵PID:2040
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"55⤵
- Executes dropped EXE
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"56⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:996 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE57⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2908
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"57⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1664
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE57⤵PID:2672
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"57⤵
- Executes dropped EXE
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"58⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE59⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"59⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1584
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE59⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1624
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"59⤵
- Executes dropped EXE
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"60⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE61⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2272
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"61⤵PID:2724
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE61⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:908
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"61⤵
- Executes dropped EXE
PID:848 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"62⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE63⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1852
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"63⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2836
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE63⤵
- Modifies Windows Firewall
PID:2096
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"63⤵
- Executes dropped EXE
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"64⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:352 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE65⤵
- Modifies Windows Firewall
PID:2380
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"65⤵PID:2404
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE65⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:2228
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"65⤵
- Executes dropped EXE
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"66⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE67⤵
- Modifies Windows Firewall
PID:2920
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"67⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1844
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE67⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:2280
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"67⤵
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"68⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE69⤵PID:2364
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"69⤵PID:1348
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE69⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2952
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"69⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"70⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE71⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1576
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"71⤵PID:3032
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE71⤵PID:284
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"71⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"72⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE73⤵
- Modifies Windows Firewall
PID:1208
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"73⤵
- Modifies Windows Firewall
PID:392
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE73⤵PID:2648
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"73⤵
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"74⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE75⤵PID:2564
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"75⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:2244
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE75⤵PID:2308
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"75⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"76⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE77⤵PID:2532
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"77⤵
- Modifies Windows Firewall
PID:2284
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE77⤵
- Modifies Windows Firewall
PID:2220
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"77⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"78⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE79⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2776
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"79⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:2072
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE79⤵PID:268
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"79⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"80⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE81⤵PID:936
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"81⤵PID:2976
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE81⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2292
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"81⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"82⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE83⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2772
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"83⤵
- Modifies Windows Firewall
PID:2796
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE83⤵PID:2936
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"83⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"84⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE85⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2148
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"85⤵
- Modifies Windows Firewall
PID:2272
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE85⤵PID:1624
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"85⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"86⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE87⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:1504
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"87⤵PID:2788
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE87⤵
- System Location Discovery: System Language Discovery
PID:2172
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"87⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"88⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE89⤵
- Modifies Windows Firewall
PID:1592
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"89⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:1684
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE89⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2096
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"89⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"90⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE91⤵
- System Location Discovery: System Language Discovery
PID:2800
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"91⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2524
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE91⤵
- Modifies Windows Firewall
PID:2988
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"91⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"92⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE93⤵PID:3044
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"93⤵PID:2180
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE93⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2948
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"93⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"94⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE95⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2004
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"95⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:2972
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE95⤵PID:2984
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"95⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"96⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:568 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE97⤵PID:2684
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"97⤵
- Modifies Windows Firewall
PID:352
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE97⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1432
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"97⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"98⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2380 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE99⤵PID:1404
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"99⤵
- Event Triggered Execution: Netsh Helper DLL
PID:536
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE99⤵PID:2128
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"99⤵PID:480
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"100⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE101⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2560
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"101⤵PID:680
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE101⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2724
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"101⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"102⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE103⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:1436
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"103⤵PID:1204
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE103⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3036
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"103⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"104⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE105⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1104
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"105⤵
- Modifies Windows Firewall
PID:3012
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE105⤵
- Modifies Windows Firewall
PID:1000
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"105⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"106⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE107⤵
- System Location Discovery: System Language Discovery
PID:1968
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"107⤵
- System Location Discovery: System Language Discovery
PID:1152
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE107⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"107⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"108⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:552 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE109⤵
- Modifies Windows Firewall
PID:2244
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"109⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1560
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE109⤵
- Modifies Windows Firewall
PID:2064
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"109⤵PID:3044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44B
MD5298802dff6aa26d4fb941c7ccf5c0849
SHA111e518ca3409f1863ebc2d3f1be9fb701bad52c0
SHA256df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d
SHA5120301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946
-
Filesize
5B
MD569cf10399d0d1350c3698099796624cb
SHA1d0b58b76ff065f51172971853a7da414286d9ea7
SHA256a7bff94c7cdef50b67a3bab142ebcec4d360491e339581c41f433fec6d002f48
SHA5125e1c9745b2b529c026e51fbff7fd4e1e0bd208c705b7da830459758d28c01b32b9bc93caa7ad60228d3e785784023d8a739fda0dab62d3c76770ea84c257f1f7
-
Filesize
93KB
MD5173883b31d172e5140f98fd0e927ff10
SHA11e477ebc749e1ef65c820cfb959d96ffc058b587
SHA256984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08
SHA51201d262922177e746898cfdf9fee9d7b85a273ff43d445cf40f5ee989b51a08bfe71eb270b501a164192565666e4aaef701cbf6594e89c152d9acc43ca881c56a