afa601763f2a7766d2162134d441dda5335cf15c7b0ee75ba8d9759247ca48bc

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_afa601763f2a7766d2162134d441dda5335cf15c7b0ee75ba8d9759247ca48bc.exe
Size

93KB
MD5

e3246829669fd405f86615b41273ca8e
SHA1

a938850b46ce8c7cef39740a5e60688fe0130334
SHA256

afa601763f2a7766d2162134d441dda5335cf15c7b0ee75ba8d9759247ca48bc
SHA512

498b1c351e87d01a4b7bc016e47d3eddee9d891cf33c32b41dfcc8ed9c88d60050292dfd2b4e0781450c013037f425b63062bfb81a845082344676ef26acb9ca
SSDEEP

1536:GORnEoSnsqS5ut9YMR8SjEwzGi1dD+DOgS:GOtSnsqS5uTYM+7i1dQz

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1860	netsh.exe
1868	netsh.exe
2796	netsh.exe
2836	netsh.exe
1948	netsh.exe
716	netsh.exe
1716	netsh.exe
3004	netsh.exe
1284	netsh.exe
1860	netsh.exe
3004	netsh.exe
2712	netsh.exe
2612	netsh.exe
1596	netsh.exe
1608	netsh.exe
1568	netsh.exe
1644	netsh.exe
2420	netsh.exe
2944	netsh.exe
2144	netsh.exe
2252	netsh.exe
1924	netsh.exe
484	netsh.exe
2580	netsh.exe
2684	netsh.exe
2924	netsh.exe
704	netsh.exe
1808	netsh.exe
2060	netsh.exe
1344	netsh.exe
2508	netsh.exe
2972	netsh.exe
1160	netsh.exe
640	netsh.exe
1680	netsh.exe
2812	netsh.exe
1340	netsh.exe
2000	netsh.exe
2584	netsh.exe
2016	netsh.exe
1784	netsh.exe
1992	netsh.exe
1356	netsh.exe
1644	netsh.exe
1356	netsh.exe
2584	netsh.exe
2420	netsh.exe
2940	netsh.exe
2968	netsh.exe
2704	netsh.exe
1812	netsh.exe
1368	netsh.exe
2312	netsh.exe
1816	netsh.exe
1140	netsh.exe
1300	netsh.exe
1580	netsh.exe
1536	netsh.exe
1900	netsh.exe
2928	netsh.exe
1628	netsh.exe
2864	netsh.exe
1072	netsh.exe
1740	netsh.exe

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2e3426a158fbbe324e78b544ba71838Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 64 IoCs

pid	Process
2612	server.exe
2720	svchost.exe
1732	server.exe
1920	svchost.exe
2508	server.exe
2360	svchost.exe
2824	server.exe
2828	svchost.exe
2756	server.exe
2168	svchost.exe
716	server.exe
2216	svchost.exe
2292	server.exe
2692	svchost.exe
2684	server.exe
1236	svchost.exe
1868	server.exe
2620	svchost.exe
2948	server.exe
2332	svchost.exe
2704	server.exe
768	svchost.exe
2916	server.exe
1920	svchost.exe
1916	server.exe
2216	svchost.exe
2160	server.exe
3024	svchost.exe
1452	server.exe
972	svchost.exe
1644	server.exe
1988	svchost.exe
2620	server.exe
1864	svchost.exe
1020	server.exe
1956	svchost.exe
1968	server.exe
2108	svchost.exe
1576	server.exe
2216	svchost.exe
848	server.exe
2748	svchost.exe
1072	server.exe
2428	svchost.exe
564	server.exe
2964	svchost.exe
2072	server.exe
1808	svchost.exe
2740	server.exe
1936	svchost.exe
1784	server.exe
2604	svchost.exe
2648	server.exe
2344	svchost.exe
2668	server.exe
1012	svchost.exe
1688	server.exe
448	svchost.exe
3056	server.exe
1996	svchost.exe
1920	server.exe
1912	svchost.exe
1636	server.exe
896	svchost.exe

Loads dropped DLL 64 IoCs

pid	Process
2612	server.exe
2612	server.exe
1732	server.exe
1732	server.exe
2508	server.exe
2508	server.exe
2824	server.exe
2824	server.exe
2756	server.exe
2756	server.exe
716	server.exe
716	server.exe
2292	server.exe
2292	server.exe
2684	server.exe
2684	server.exe
1868	server.exe
1868	server.exe
2948	server.exe
2948	server.exe
2704	server.exe
2704	server.exe
2916	server.exe
2916	server.exe
1916	server.exe
1916	server.exe
2160	server.exe
2160	server.exe
1452	server.exe
1452	server.exe
1644	server.exe
1644	server.exe
2620	server.exe
2620	server.exe
1020	server.exe
1020	server.exe
1968	server.exe
1968	server.exe
1576	server.exe
1576	server.exe
848	server.exe
848	server.exe
1072	server.exe
1072	server.exe
564	server.exe
564	server.exe
2072	server.exe
2072	server.exe
2740	server.exe
2740	server.exe
1784	server.exe
1784	server.exe
2648	server.exe
2648	server.exe
2668	server.exe
2668	server.exe
1688	server.exe
1688	server.exe
3056	server.exe
3056	server.exe
1920	server.exe
1920	server.exe
1636	server.exe
1636	server.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File created	C:\Windows\server.exe	svchost.exe
File created	C:\Windows\server.exe	svchost.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe
File opened for modification	C:\Windows\server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe
2612	server.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	server.exe
Token: SeDebugPrivilege	1732	server.exe
Token: SeDebugPrivilege	2508	server.exe
Token: SeDebugPrivilege	2824	server.exe
Token: SeDebugPrivilege	2756	server.exe
Token: SeDebugPrivilege	716	server.exe
Token: SeDebugPrivilege	2292	server.exe
Token: SeDebugPrivilege	2684	server.exe
Token: SeDebugPrivilege	1868	server.exe
Token: SeDebugPrivilege	2948	server.exe
Token: SeDebugPrivilege	2704	server.exe
Token: SeDebugPrivilege	2916	server.exe
Token: SeDebugPrivilege	1916	server.exe
Token: SeDebugPrivilege	2160	server.exe
Token: SeDebugPrivilege	1452	server.exe
Token: SeDebugPrivilege	1644	server.exe
Token: SeDebugPrivilege	2620	server.exe
Token: SeDebugPrivilege	1020	server.exe
Token: SeDebugPrivilege	1968	server.exe
Token: SeDebugPrivilege	1576	server.exe
Token: SeDebugPrivilege	848	server.exe
Token: SeDebugPrivilege	1072	server.exe
Token: SeDebugPrivilege	564	server.exe
Token: SeDebugPrivilege	2072	server.exe
Token: SeDebugPrivilege	2740	server.exe
Token: SeDebugPrivilege	1784	server.exe
Token: SeDebugPrivilege	2648	server.exe
Token: SeDebugPrivilege	2668	server.exe
Token: SeDebugPrivilege	1688	server.exe
Token: SeDebugPrivilege	3056	server.exe
Token: SeDebugPrivilege	1920	server.exe
Token: SeDebugPrivilege	1636	server.exe
Token: SeDebugPrivilege	2380	server.exe
Token: SeDebugPrivilege	1372	server.exe
Token: SeDebugPrivilege	2760	server.exe
Token: SeDebugPrivilege	2152	server.exe
Token: SeDebugPrivilege	1944	server.exe
Token: SeDebugPrivilege	2936	server.exe
Token: SeDebugPrivilege	1280	server.exe
Token: SeDebugPrivilege	1508	server.exe
Token: SeDebugPrivilege	2832	server.exe
Token: SeDebugPrivilege	856	server.exe
Token: SeDebugPrivilege	1968	server.exe
Token: SeDebugPrivilege	2376	server.exe
Token: SeDebugPrivilege	2340	server.exe
Token: SeDebugPrivilege	768	server.exe
Token: SeDebugPrivilege	1360	server.exe
Token: SeDebugPrivilege	2568	server.exe
Token: SeDebugPrivilege	2748	server.exe
Token: SeDebugPrivilege	2940	server.exe
Token: SeDebugPrivilege	2360	server.exe
Token: SeDebugPrivilege	704	server.exe
Token: SeDebugPrivilege	2508	server.exe
Token: SeDebugPrivilege	2228	server.exe
Token: SeDebugPrivilege	2688	server.exe
Token: SeDebugPrivilege	1656	server.exe
Token: SeDebugPrivilege	2724	server.exe
Token: SeDebugPrivilege	2708	server.exe
Token: SeDebugPrivilege	1072	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2612	2140	JaffaCakes118_afa601763f2a7766d2162134d441dda5335cf15c7b0ee75ba8d9759247ca48bc.exe	30
PID 2140 wrote to memory of 2612	2140	JaffaCakes118_afa601763f2a7766d2162134d441dda5335cf15c7b0ee75ba8d9759247ca48bc.exe	30
PID 2140 wrote to memory of 2612	2140	JaffaCakes118_afa601763f2a7766d2162134d441dda5335cf15c7b0ee75ba8d9759247ca48bc.exe	30
PID 2140 wrote to memory of 2612	2140	JaffaCakes118_afa601763f2a7766d2162134d441dda5335cf15c7b0ee75ba8d9759247ca48bc.exe	30
PID 2612 wrote to memory of 2832	2612	server.exe	32
PID 2612 wrote to memory of 2832	2612	server.exe	32
PID 2612 wrote to memory of 2832	2612	server.exe	32
PID 2612 wrote to memory of 2832	2612	server.exe	32
PID 2612 wrote to memory of 2876	2612	server.exe	34
PID 2612 wrote to memory of 2876	2612	server.exe	34
PID 2612 wrote to memory of 2876	2612	server.exe	34
PID 2612 wrote to memory of 2876	2612	server.exe	34
PID 2612 wrote to memory of 1808	2612	server.exe	36
PID 2612 wrote to memory of 1808	2612	server.exe	36
PID 2612 wrote to memory of 1808	2612	server.exe	36
PID 2612 wrote to memory of 1808	2612	server.exe	36
PID 2612 wrote to memory of 2720	2612	server.exe	38
PID 2612 wrote to memory of 2720	2612	server.exe	38
PID 2612 wrote to memory of 2720	2612	server.exe	38
PID 2612 wrote to memory of 2720	2612	server.exe	38
PID 2720 wrote to memory of 1732	2720	svchost.exe	39
PID 2720 wrote to memory of 1732	2720	svchost.exe	39
PID 2720 wrote to memory of 1732	2720	svchost.exe	39
PID 2720 wrote to memory of 1732	2720	svchost.exe	39
PID 1732 wrote to memory of 1944	1732	server.exe	40
PID 1732 wrote to memory of 1944	1732	server.exe	40
PID 1732 wrote to memory of 1944	1732	server.exe	40
PID 1732 wrote to memory of 1944	1732	server.exe	40
PID 1732 wrote to memory of 2272	1732	server.exe	42
PID 1732 wrote to memory of 2272	1732	server.exe	42
PID 1732 wrote to memory of 2272	1732	server.exe	42
PID 1732 wrote to memory of 2272	1732	server.exe	42
PID 1732 wrote to memory of 2236	1732	server.exe	43
PID 1732 wrote to memory of 2236	1732	server.exe	43
PID 1732 wrote to memory of 2236	1732	server.exe	43
PID 1732 wrote to memory of 2236	1732	server.exe	43
PID 1732 wrote to memory of 1920	1732	server.exe	46
PID 1732 wrote to memory of 1920	1732	server.exe	46
PID 1732 wrote to memory of 1920	1732	server.exe	46
PID 1732 wrote to memory of 1920	1732	server.exe	46
PID 1920 wrote to memory of 2508	1920	svchost.exe	47
PID 1920 wrote to memory of 2508	1920	svchost.exe	47
PID 1920 wrote to memory of 2508	1920	svchost.exe	47
PID 1920 wrote to memory of 2508	1920	svchost.exe	47
PID 2508 wrote to memory of 2060	2508	server.exe	48
PID 2508 wrote to memory of 2060	2508	server.exe	48
PID 2508 wrote to memory of 2060	2508	server.exe	48
PID 2508 wrote to memory of 2060	2508	server.exe	48
PID 2508 wrote to memory of 3044	2508	server.exe	50
PID 2508 wrote to memory of 3044	2508	server.exe	50
PID 2508 wrote to memory of 3044	2508	server.exe	50
PID 2508 wrote to memory of 3044	2508	server.exe	50
PID 2508 wrote to memory of 2292	2508	server.exe	51
PID 2508 wrote to memory of 2292	2508	server.exe	51
PID 2508 wrote to memory of 2292	2508	server.exe	51
PID 2508 wrote to memory of 2292	2508	server.exe	51
PID 2508 wrote to memory of 2360	2508	server.exe	54
PID 2508 wrote to memory of 2360	2508	server.exe	54
PID 2508 wrote to memory of 2360	2508	server.exe	54
PID 2508 wrote to memory of 2360	2508	server.exe	54
PID 2360 wrote to memory of 2824	2360	svchost.exe	55
PID 2360 wrote to memory of 2824	2360	svchost.exe	55
PID 2360 wrote to memory of 2824	2360	svchost.exe	55
PID 2360 wrote to memory of 2824	2360	svchost.exe	55

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afa601763f2a7766d2162134d441dda5335cf15c7b0ee75ba8d9759247ca48bc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afa601763f2a7766d2162134d441dda5335cf15c7b0ee75ba8d9759247ca48bc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\server.exe
  "C:\Windows\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Windows\server.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1808
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\server.exe
      "C:\Windows\server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1944
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2236
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:2060
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        7⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        8⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        9⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        9⤵
        Modifies Windows Firewall
        
        PID:1860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        9⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2828
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        10⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        11⤵
        Modifies Windows Firewall
        
        PID:2252
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        11⤵
        Modifies Windows Firewall
        
        PID:1868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        11⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2168
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        13⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2216
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        14⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        15⤵
        Modifies Windows Firewall
        
        PID:2612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        15⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        16⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        17⤵
        Modifies Windows Firewall
        
        PID:1740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        17⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        19⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:908
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        19⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        20⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        21⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        21⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2332
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        22⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        23⤵
        Modifies Windows Firewall
        
        PID:2580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        23⤵
        Modifies Windows Firewall
        
        PID:640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        23⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:768
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        24⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        25⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1688
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1920
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        26⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        27⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        27⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        27⤵
        Modifies Windows Firewall
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        28⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        29⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        29⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        30⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        31⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        31⤵
        Modifies Windows Firewall
        
        PID:2684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        31⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        32⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        33⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2924
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        33⤵
        Modifies Windows Firewall
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1988
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        34⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        35⤵
        Modifies Windows Firewall
        
        PID:2836
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        35⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1864
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        36⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        37⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        37⤵
        Modifies Windows Firewall
        
        PID:1680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1956
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        38⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        39⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        39⤵
        Modifies Windows Firewall
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        39⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        41⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        41⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        41⤵
        Modifies Windows Firewall
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        42⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        43⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        43⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        43⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        43⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        44⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        45⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        45⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        45⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        45⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2428
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        46⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        47⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        47⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        47⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        47⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        48⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        49⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        49⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        49⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        50⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        51⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        51⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        51⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        51⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        52⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        53⤵
        Modifies Windows Firewall
        
        PID:1812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        53⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        53⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        53⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        54⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        55⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        55⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        55⤵
        Modifies Windows Firewall
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        55⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        56⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        57⤵
        
        PID:932
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        57⤵
        Modifies Windows Firewall
        
        PID:1368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        57⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1012
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        58⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        59⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2420
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        59⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        59⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        61⤵
        Modifies Windows Firewall
        
        PID:1608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        61⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        61⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        62⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        63⤵
        Modifies Windows Firewall
        
        PID:1948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        63⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        63⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        63⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        64⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        65⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        65⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        65⤵
        Modifies Windows Firewall
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        65⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:896
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        66⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        67⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        67⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        67⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        67⤵
        Drops file in Windows directory
        
        PID:2104
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        68⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        69⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        69⤵
        Modifies Windows Firewall
        
        PID:1924
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        69⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        69⤵
        
        PID:2548
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        70⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        71⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        71⤵
        Drops file in Windows directory
        
        PID:2112
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        72⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        73⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        73⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        73⤵
        Modifies Windows Firewall
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        73⤵
        Drops file in Windows directory
        
        PID:1496
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        74⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        75⤵
        Modifies Windows Firewall
        
        PID:2312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        75⤵
        Modifies Windows Firewall
        
        PID:1644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        75⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        75⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        76⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        77⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1720
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        77⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        77⤵
        
        PID:1304
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        78⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        79⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        79⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        79⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        79⤵
        
        PID:2940
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        80⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        81⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        81⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1664
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        81⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        82⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        83⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        83⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        83⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        83⤵
        
        PID:1628
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        84⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        85⤵
        Modifies Windows Firewall
        
        PID:2968
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        85⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        85⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        85⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        86⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        87⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        87⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        88⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        89⤵
        Modifies Windows Firewall
        
        PID:2972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        89⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        89⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        89⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        90⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        91⤵
        Modifies Windows Firewall
        
        PID:3004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        91⤵
        Modifies Windows Firewall
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        91⤵
        
        PID:2728
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        92⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        93⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        93⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        93⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        93⤵
        
        PID:1616
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        94⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        95⤵
        Modifies Windows Firewall
        
        PID:2812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        95⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        95⤵
        Drops file in Windows directory
        
        PID:2784
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        96⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        97⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1340
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        97⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        97⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        97⤵
        
        PID:1828
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        98⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        99⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        99⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        99⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        99⤵
        Drops file in Windows directory
        
        PID:2292
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        100⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        101⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        101⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        101⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        101⤵
        
        PID:2012
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        102⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        103⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        103⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        103⤵
        
        PID:2352
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        104⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        105⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1676
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        105⤵
        Modifies Windows Firewall
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        105⤵
        Drops file in Windows directory
        
        PID:1368
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        106⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        107⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        107⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        107⤵
        Modifies Windows Firewall
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        107⤵
        Drops file in Windows directory
        
        PID:2484
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        108⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        109⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        109⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        109⤵
        Drops file in Windows directory
        
        PID:2796
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        110⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        111⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        111⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        111⤵
        Modifies Windows Firewall
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        111⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        112⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        113⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        113⤵
        Modifies Windows Firewall
        
        PID:2144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        113⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        113⤵
        
        PID:1368
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        114⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        115⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        115⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        115⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        115⤵
        
        PID:3016
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        116⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        117⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        117⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        117⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        117⤵
        
        PID:1976
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        118⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        119⤵
        Modifies Windows Firewall
        
        PID:1716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        119⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        119⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        119⤵
        
        PID:2072
        
        C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        120⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        121⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Windows\server.exe"
        121⤵
        Modifies Windows Firewall
        
        PID:2712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        121⤵
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
21B

MD5
28e4dd4093f543ce9c85dc38111b8e4d

SHA1
8607d0131f30e6246088ae3e3aeb58b6405fb65e

SHA256
0944e1d01a6e4926eb610353fb63f4ec70c3cc91dd03a49f90a256b67da9c3d1

SHA512
10e4e647856e37ad280acf3b283095f73fd5ccb40bf38cfa2a7e0040970efc39c553f30d2b06da1c55004a6a02145db36d032356fdabc2f533a9df52052d7ea3

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
5014379cf5fa31db8a73d68d6353a145

SHA1
2a1a5138e8c9e7547caae1c9fb223afbf714ed00

SHA256
538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8

SHA512
5091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f

Download Submit
C:\Windows\server.exe

Filesize
93KB

MD5
e3246829669fd405f86615b41273ca8e

SHA1
a938850b46ce8c7cef39740a5e60688fe0130334

SHA256
afa601763f2a7766d2162134d441dda5335cf15c7b0ee75ba8d9759247ca48bc

SHA512
498b1c351e87d01a4b7bc016e47d3eddee9d891cf33c32b41dfcc8ed9c88d60050292dfd2b4e0781450c013037f425b63062bfb81a845082344676ef26acb9ca

Download Submit
memory/2140-0-0x0000000074E61000-0x0000000074E62000-memory.dmp

Filesize
4KB

Download
memory/2140-12-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-2-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-1-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-2091-0x0000000077A20000-0x0000000077B1A000-memory.dmp

Filesize
1000KB

Download
memory/2564-2092-0x00000000753C0000-0x00000000753EE000-memory.dmp

Filesize
184KB

Download
memory/2564-2090-0x0000000077900000-0x0000000077A1F000-memory.dmp

Filesize
1.1MB

Download
memory/2612-13-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-14-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-65-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download