Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 04:06

General

  • Target

    984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe

  • Size

    93KB

  • MD5

    173883b31d172e5140f98fd0e927ff10

  • SHA1

    1e477ebc749e1ef65c820cfb959d96ffc058b587

  • SHA256

    984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08

  • SHA512

    01d262922177e746898cfdf9fee9d7b85a273ff43d445cf40f5ee989b51a08bfe71eb270b501a164192565666e4aaef701cbf6594e89c152d9acc43ca881c56a

  • SSDEEP

    1536:XFJGER1tMnnwlOU5oTRKwjEwzGi1dDsKngS:XFJMnnwlOUWT0hi1dzg

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

dock

C2

hakim32.ddns.net:2000

127.0.0.1:555

Mutex

c772fa1f7fc98d866443249d79c0b299

Attributes
  • reg_key

    c772fa1f7fc98d866443249d79c0b299

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 64 IoCs
  • Drops startup file 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 54 IoCs
  • Drops file in Program Files directory 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe
    "C:\Users\Admin\AppData\Local\Temp\984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2872
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:3056
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:3060
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Users\Admin\AppData\Local\Temp\server.exe
          "C:\Users\Admin\AppData\Local\Temp\server.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:1564
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
            5⤵
              PID:1036
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2236
            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1636
              • C:\Users\Admin\AppData\Local\Temp\server.exe
                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Drops file in Program Files directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:852
                • C:\Windows\SysWOW64\netsh.exe
                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                  7⤵
                  • Modifies Windows Firewall
                  PID:1516
                • C:\Windows\SysWOW64\netsh.exe
                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                  7⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:1852
                • C:\Windows\SysWOW64\netsh.exe
                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                  7⤵
                    PID:2032
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                    7⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:2496
                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                      8⤵
                      • Drops startup file
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2404
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                        9⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:2420
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                        9⤵
                        • Modifies Windows Firewall
                        PID:2724
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                        9⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:2856
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                        9⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1788
                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                          10⤵
                          • Drops startup file
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • Drops file in Program Files directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2584
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                            11⤵
                            • System Location Discovery: System Language Discovery
                            PID:2884
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                            11⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            PID:2020
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                            11⤵
                            • Event Triggered Execution: Netsh Helper DLL
                            PID:2904
                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                            11⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:2928
                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                              12⤵
                              • Drops startup file
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • Drops file in Program Files directory
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2788
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                13⤵
                                • Modifies Windows Firewall
                                PID:2192
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                13⤵
                                • Event Triggered Execution: Netsh Helper DLL
                                PID:2220
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                13⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                PID:2208
                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                13⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                PID:1636
                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                  14⤵
                                  • Drops startup file
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • Drops file in Program Files directory
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2044
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                    15⤵
                                    • Event Triggered Execution: Netsh Helper DLL
                                    PID:1000
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                    15⤵
                                      PID:1736
                                    • C:\Windows\SysWOW64\netsh.exe
                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                      15⤵
                                      • Modifies Windows Firewall
                                      PID:2464
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                      15⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:1076
                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                        16⤵
                                        • Drops startup file
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Drops file in System32 directory
                                        • Drops file in Program Files directory
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2892
                                        • C:\Windows\SysWOW64\netsh.exe
                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                          17⤵
                                          • Modifies Windows Firewall
                                          PID:2900
                                        • C:\Windows\SysWOW64\netsh.exe
                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                          17⤵
                                          • Modifies Windows Firewall
                                          • Event Triggered Execution: Netsh Helper DLL
                                          PID:1600
                                        • C:\Windows\SysWOW64\netsh.exe
                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                          17⤵
                                            PID:2420
                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                            17⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • System Location Discovery: System Language Discovery
                                            PID:2816
                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                              18⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Drops file in System32 directory
                                              • Drops file in Program Files directory
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2412
                                              • C:\Windows\SysWOW64\netsh.exe
                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                19⤵
                                                • Modifies Windows Firewall
                                                PID:2760
                                              • C:\Windows\SysWOW64\netsh.exe
                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                19⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:1660
                                              • C:\Windows\SysWOW64\netsh.exe
                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                19⤵
                                                  PID:1712
                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                  19⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  PID:2584
                                                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                    20⤵
                                                    • Drops startup file
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Drops file in System32 directory
                                                    • Drops file in Program Files directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1688
                                                    • C:\Windows\SysWOW64\netsh.exe
                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                      21⤵
                                                        PID:3044
                                                      • C:\Windows\SysWOW64\netsh.exe
                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                        21⤵
                                                        • Modifies Windows Firewall
                                                        PID:568
                                                      • C:\Windows\SysWOW64\netsh.exe
                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                        21⤵
                                                          PID:2072
                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                          21⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          PID:2512
                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                            22⤵
                                                            • Drops startup file
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Drops file in System32 directory
                                                            • Drops file in Program Files directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1432
                                                            • C:\Windows\SysWOW64\netsh.exe
                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                              23⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1016
                                                            • C:\Windows\SysWOW64\netsh.exe
                                                              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                              23⤵
                                                                PID:2476
                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                23⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1000
                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                23⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:996
                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                  24⤵
                                                                  • Drops startup file
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Drops file in System32 directory
                                                                  • Drops file in Program Files directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2644
                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                    25⤵
                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2612
                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                    25⤵
                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                    PID:2392
                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                    25⤵
                                                                      PID:2076
                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                      25⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:1648
                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                        26⤵
                                                                        • Drops startup file
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Drops file in System32 directory
                                                                        • Drops file in Program Files directory
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2188
                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                          27⤵
                                                                            PID:2652
                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                            27⤵
                                                                            • Modifies Windows Firewall
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2444
                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                            27⤵
                                                                            • Modifies Windows Firewall
                                                                            PID:2224
                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                            27⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2940
                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                              28⤵
                                                                              • Drops startup file
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • Drops file in System32 directory
                                                                              • Drops file in Program Files directory
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2020
                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                29⤵
                                                                                  PID:2272
                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                  29⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1796
                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                  29⤵
                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1860
                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                  29⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1688
                                                                                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                    30⤵
                                                                                    • Drops startup file
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    • Drops file in System32 directory
                                                                                    • Drops file in Program Files directory
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:976
                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                      31⤵
                                                                                        PID:1512
                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                        31⤵
                                                                                        • Modifies Windows Firewall
                                                                                        PID:2040
                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                        31⤵
                                                                                          PID:2204
                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                          31⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          PID:1808
                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                            32⤵
                                                                                            • Drops startup file
                                                                                            • Executes dropped EXE
                                                                                            • Loads dropped DLL
                                                                                            • Drops file in System32 directory
                                                                                            • Drops file in Program Files directory
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:708
                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                              33⤵
                                                                                              • Modifies Windows Firewall
                                                                                              PID:884
                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                              33⤵
                                                                                              • Modifies Windows Firewall
                                                                                              PID:2732
                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                              33⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:2636
                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                              33⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2900
                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                34⤵
                                                                                                • Drops startup file
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • Drops file in Program Files directory
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2724
                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                  35⤵
                                                                                                  • Modifies Windows Firewall
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:480
                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                  35⤵
                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                  PID:2872
                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                  35⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:2280
                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                  35⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:2776
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                    36⤵
                                                                                                    • Drops startup file
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • Drops file in Program Files directory
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:3052
                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                      37⤵
                                                                                                      • Modifies Windows Firewall
                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                      PID:968
                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                      37⤵
                                                                                                      • Modifies Windows Firewall
                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                      PID:3048
                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                      37⤵
                                                                                                      • Modifies Windows Firewall
                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1764
                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                      37⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:672
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                        38⤵
                                                                                                        • Drops startup file
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • Drops file in Program Files directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1792
                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                          39⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:2424
                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                          39⤵
                                                                                                            PID:2960
                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                            39⤵
                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:2292
                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                            39⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:2696
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                              40⤵
                                                                                                              • Drops startup file
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • Drops file in Program Files directory
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:640
                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                41⤵
                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                PID:2640
                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                41⤵
                                                                                                                • Modifies Windows Firewall
                                                                                                                PID:2060
                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                41⤵
                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                PID:2744
                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                41⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:1820
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                  42⤵
                                                                                                                  • Drops startup file
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Drops file in Program Files directory
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:1648
                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                    43⤵
                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                    PID:1844
                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                    43⤵
                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                    PID:1976
                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                    43⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:1172
                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                    43⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:2724
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                      44⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • Drops file in Program Files directory
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:2580
                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                        45⤵
                                                                                                                          PID:972
                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                          45⤵
                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:2172
                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                          45⤵
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:1908
                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                          45⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:3052
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                            46⤵
                                                                                                                            • Drops startup file
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • Drops file in Program Files directory
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:1688
                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                              47⤵
                                                                                                                              • Modifies Windows Firewall
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:1016
                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                              47⤵
                                                                                                                              • Modifies Windows Firewall
                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:556
                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                              47⤵
                                                                                                                                PID:344
                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                47⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:2044
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                  48⤵
                                                                                                                                  • Drops startup file
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:1604
                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                    49⤵
                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:2684
                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                    49⤵
                                                                                                                                      PID:2868
                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                      49⤵
                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                      PID:2980
                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                      49⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:1980
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                        50⤵
                                                                                                                                        • Drops startup file
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:2028
                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                          51⤵
                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                          PID:2756
                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                          51⤵
                                                                                                                                            PID:552
                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                            51⤵
                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                            PID:2872
                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                            51⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:1788
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                              52⤵
                                                                                                                                              • Drops startup file
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:2776
                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                53⤵
                                                                                                                                                  PID:108
                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                  53⤵
                                                                                                                                                    PID:2092
                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                    53⤵
                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                    PID:2428
                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                    53⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:1056
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                      54⤵
                                                                                                                                                      • Drops startup file
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:956
                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                        55⤵
                                                                                                                                                          PID:2512
                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                          55⤵
                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                          PID:2328
                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                          55⤵
                                                                                                                                                            PID:2040
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                            55⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            PID:1704
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                              56⤵
                                                                                                                                                              • Drops startup file
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                              PID:996
                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                57⤵
                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                PID:2908
                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                57⤵
                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                PID:1664
                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                57⤵
                                                                                                                                                                  PID:2672
                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                  57⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:2812
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                    58⤵
                                                                                                                                                                    • Drops startup file
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                    PID:2636
                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                      59⤵
                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:2912
                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                      59⤵
                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                      PID:1584
                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                      59⤵
                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                      PID:1624
                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                      59⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:2944
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                        60⤵
                                                                                                                                                                        • Drops startup file
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        PID:1976
                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                          61⤵
                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                          PID:2272
                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                          61⤵
                                                                                                                                                                            PID:2724
                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                            61⤵
                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:908
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                            61⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:848
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                              62⤵
                                                                                                                                                                              • Drops startup file
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                              PID:2192
                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                63⤵
                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                PID:1852
                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                63⤵
                                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                PID:2836
                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                63⤵
                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                PID:2096
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                63⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                PID:2512
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                  64⤵
                                                                                                                                                                                  • Drops startup file
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                  PID:352
                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                    65⤵
                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                    PID:2380
                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                    65⤵
                                                                                                                                                                                      PID:2404
                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                      65⤵
                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:2228
                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                      65⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:2772
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                        66⤵
                                                                                                                                                                                        • Drops startup file
                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                        PID:2276
                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                          67⤵
                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                          PID:2920
                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                          67⤵
                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                          PID:1844
                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                          67⤵
                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:2280
                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                          67⤵
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:1436
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                            68⤵
                                                                                                                                                                                            • Drops startup file
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                            PID:3056
                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                              69⤵
                                                                                                                                                                                                PID:2364
                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                69⤵
                                                                                                                                                                                                  PID:1348
                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                  69⤵
                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                  PID:2952
                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                  69⤵
                                                                                                                                                                                                    PID:2776
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                      70⤵
                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      PID:3048
                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                        71⤵
                                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        PID:1576
                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                        71⤵
                                                                                                                                                                                                          PID:3032
                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                          71⤵
                                                                                                                                                                                                            PID:284
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                            71⤵
                                                                                                                                                                                                              PID:1708
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                72⤵
                                                                                                                                                                                                                • Drops startup file
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:1808
                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                  73⤵
                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                  PID:1208
                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                  73⤵
                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                  PID:392
                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                  73⤵
                                                                                                                                                                                                                    PID:2648
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                    73⤵
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:1404
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                      74⤵
                                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      PID:2728
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                        75⤵
                                                                                                                                                                                                                          PID:2564
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                          75⤵
                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                          PID:2244
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                          75⤵
                                                                                                                                                                                                                            PID:2308
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                            75⤵
                                                                                                                                                                                                                              PID:2064
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                76⤵
                                                                                                                                                                                                                                • Drops startup file
                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                PID:3016
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                  77⤵
                                                                                                                                                                                                                                    PID:2532
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                    77⤵
                                                                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                                                                    PID:2284
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                    77⤵
                                                                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                                                                    PID:2220
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                    77⤵
                                                                                                                                                                                                                                      PID:2984
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                        78⤵
                                                                                                                                                                                                                                        • Drops startup file
                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:1632
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                          79⤵
                                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                          PID:2776
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                          79⤵
                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                          PID:2072
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                          79⤵
                                                                                                                                                                                                                                            PID:268
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                            79⤵
                                                                                                                                                                                                                                              PID:2352
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                80⤵
                                                                                                                                                                                                                                                • Drops startup file
                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                PID:1792
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                  81⤵
                                                                                                                                                                                                                                                    PID:936
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                    81⤵
                                                                                                                                                                                                                                                      PID:2976
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                      81⤵
                                                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                      PID:2292
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                      81⤵
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      PID:1672
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                        82⤵
                                                                                                                                                                                                                                                        • Drops startup file
                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                        PID:2716
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                          83⤵
                                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                          PID:2772
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                          83⤵
                                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                                          PID:2796
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                          83⤵
                                                                                                                                                                                                                                                            PID:2936
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                            83⤵
                                                                                                                                                                                                                                                              PID:2276
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                84⤵
                                                                                                                                                                                                                                                                • Drops startup file
                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                PID:2256
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                  85⤵
                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  PID:2148
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                  85⤵
                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                  PID:2272
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                  85⤵
                                                                                                                                                                                                                                                                    PID:1624
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                    85⤵
                                                                                                                                                                                                                                                                      PID:1760
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                        86⤵
                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                        PID:1360
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                          87⤵
                                                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                          PID:1504
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                          87⤵
                                                                                                                                                                                                                                                                            PID:2788
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                            87⤵
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            PID:2172
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                            87⤵
                                                                                                                                                                                                                                                                              PID:1800
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                88⤵
                                                                                                                                                                                                                                                                                • Drops startup file
                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                PID:2836
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                  89⤵
                                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                  PID:1592
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                  89⤵
                                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                  PID:1684
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                  89⤵
                                                                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                  PID:2096
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                  89⤵
                                                                                                                                                                                                                                                                                    PID:936
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                      90⤵
                                                                                                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                      PID:2736
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                        91⤵
                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                        PID:2800
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                        91⤵
                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                        PID:2524
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                        91⤵
                                                                                                                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                        PID:2988
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                        91⤵
                                                                                                                                                                                                                                                                                          PID:2560
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                            92⤵
                                                                                                                                                                                                                                                                                            • Drops startup file
                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                            PID:700
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                              93⤵
                                                                                                                                                                                                                                                                                                PID:3044
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                93⤵
                                                                                                                                                                                                                                                                                                  PID:2180
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                  PID:2948
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                                                                                                                    PID:2256
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                      94⤵
                                                                                                                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                      PID:2616
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                        95⤵
                                                                                                                                                                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                        PID:2004
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                        95⤵
                                                                                                                                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                        PID:2972
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                        95⤵
                                                                                                                                                                                                                                                                                                          PID:2984
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                          95⤵
                                                                                                                                                                                                                                                                                                            PID:1632
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                              96⤵
                                                                                                                                                                                                                                                                                                              • Drops startup file
                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                              PID:568
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                97⤵
                                                                                                                                                                                                                                                                                                                  PID:2684
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                  97⤵
                                                                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                  PID:352
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                  97⤵
                                                                                                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                  PID:1432
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                  97⤵
                                                                                                                                                                                                                                                                                                                    PID:1488
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                      98⤵
                                                                                                                                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                      PID:2380
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                        99⤵
                                                                                                                                                                                                                                                                                                                          PID:1404
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                          99⤵
                                                                                                                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                          PID:536
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                          99⤵
                                                                                                                                                                                                                                                                                                                            PID:2128
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                            99⤵
                                                                                                                                                                                                                                                                                                                              PID:480
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                100⤵
                                                                                                                                                                                                                                                                                                                                • Drops startup file
                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                PID:2652
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                  101⤵
                                                                                                                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                  PID:2560
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                  101⤵
                                                                                                                                                                                                                                                                                                                                    PID:680
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                    101⤵
                                                                                                                                                                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                    PID:2724
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                    101⤵
                                                                                                                                                                                                                                                                                                                                      PID:2020
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                        102⤵
                                                                                                                                                                                                                                                                                                                                        • Drops startup file
                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                        PID:2148
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                          103⤵
                                                                                                                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                          PID:1436
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                          103⤵
                                                                                                                                                                                                                                                                                                                                            PID:1204
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                            103⤵
                                                                                                                                                                                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                            PID:3036
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                            103⤵
                                                                                                                                                                                                                                                                                                                                              PID:2288
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                104⤵
                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                PID:2968
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                  105⤵
                                                                                                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                  PID:1104
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                  105⤵
                                                                                                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                  PID:3012
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                  105⤵
                                                                                                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                  PID:1000
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                  105⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2748
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                      106⤵
                                                                                                                                                                                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                      PID:2668
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                        PID:1968
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                        PID:1152
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                        PID:2932
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                        PID:2044
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                          108⤵
                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                          PID:552
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                            PID:2244
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                                                                                                                                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                                                                                                            PID:1560
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                                                                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                            PID:2064
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                                                                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                                                                                                                                                              PID:3044

                                                                                                                                    Network

                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                    Replay Monitor

                                                                                                                                    Loading Replay Monitor...

                                                                                                                                    Downloads

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\melt.txt

                                                                                                                                      Filesize

                                                                                                                                      44B

                                                                                                                                      MD5

                                                                                                                                      298802dff6aa26d4fb941c7ccf5c0849

                                                                                                                                      SHA1

                                                                                                                                      11e518ca3409f1863ebc2d3f1be9fb701bad52c0

                                                                                                                                      SHA256

                                                                                                                                      df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

                                                                                                                                      SHA512

                                                                                                                                      0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

                                                                                                                                    • C:\Users\Admin\AppData\Roaming\app

                                                                                                                                      Filesize

                                                                                                                                      5B

                                                                                                                                      MD5

                                                                                                                                      69cf10399d0d1350c3698099796624cb

                                                                                                                                      SHA1

                                                                                                                                      d0b58b76ff065f51172971853a7da414286d9ea7

                                                                                                                                      SHA256

                                                                                                                                      a7bff94c7cdef50b67a3bab142ebcec4d360491e339581c41f433fec6d002f48

                                                                                                                                      SHA512

                                                                                                                                      5e1c9745b2b529c026e51fbff7fd4e1e0bd208c705b7da830459758d28c01b32b9bc93caa7ad60228d3e785784023d8a739fda0dab62d3c76770ea84c257f1f7

                                                                                                                                    • \Users\Admin\AppData\Local\Temp\server.exe

                                                                                                                                      Filesize

                                                                                                                                      93KB

                                                                                                                                      MD5

                                                                                                                                      173883b31d172e5140f98fd0e927ff10

                                                                                                                                      SHA1

                                                                                                                                      1e477ebc749e1ef65c820cfb959d96ffc058b587

                                                                                                                                      SHA256

                                                                                                                                      984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08

                                                                                                                                      SHA512

                                                                                                                                      01d262922177e746898cfdf9fee9d7b85a273ff43d445cf40f5ee989b51a08bfe71eb270b501a164192565666e4aaef701cbf6594e89c152d9acc43ca881c56a

                                                                                                                                    • memory/1444-12-0x00000000744A0000-0x0000000074A4B000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.7MB

                                                                                                                                    • memory/1444-0-0x00000000744A1000-0x00000000744A2000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/1444-2-0x00000000744A0000-0x0000000074A4B000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.7MB

                                                                                                                                    • memory/1444-1-0x00000000744A0000-0x0000000074A4B000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.7MB

                                                                                                                                    • memory/1648-15-0x00000000744A0000-0x0000000074A4B000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.7MB

                                                                                                                                    • memory/1648-16-0x00000000744A0000-0x0000000074A4B000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.7MB

                                                                                                                                    • memory/1648-17-0x00000000744A0000-0x0000000074A4B000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.7MB

                                                                                                                                    • memory/1648-53-0x00000000744A0000-0x0000000074A4B000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      5.7MB

                                                                                                                                    • memory/2968-1369-0x0000000074320000-0x000000007434E000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      184KB

                                                                                                                                    • memory/2968-1368-0x0000000000480000-0x000000000049B000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      108KB

                                                                                                                                    • memory/2968-1367-0x0000000076F60000-0x000000007705A000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1000KB

                                                                                                                                    • memory/2968-1370-0x0000000006480000-0x00000000070CA000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      12.3MB

                                                                                                                                    • memory/2968-1366-0x0000000077060000-0x000000007717F000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      1.1MB