njrat | hxxps://github[.]com/alyaparan/NjRat-0[.]7D?tab=readme-ov-file

Analysis

max time kernel
583s
max time network
622s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-02-2025 20:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/alyaparan/NjRat-0.7D?tab=readme-ov-file

Score

10^/10

njrat hacked credential_access defense_evasion discovery persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

127.0.0.1:5552

Mutex

300fc391889bdd42d97bee6920ef1055

Attributes

reg_key
300fc391889bdd42d97bee6920ef1055
splitter
|'|'|

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

127.0.0.1:8777

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 64 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1704	netsh.exe
4592	netsh.exe
4424	netsh.exe
4780	netsh.exe
4964	netsh.exe
3752	netsh.exe
4736	netsh.exe
3760	netsh.exe
4164	netsh.exe
1600	netsh.exe
1132	netsh.exe
4304	netsh.exe
2412	netsh.exe
4960	netsh.exe
4008	netsh.exe
2144	netsh.exe
1600	netsh.exe
4616	netsh.exe
4572	netsh.exe
4644	netsh.exe
3368	netsh.exe
1872	netsh.exe
3744	netsh.exe
4116	netsh.exe
1832	netsh.exe
3044	netsh.exe
756	netsh.exe
4536	netsh.exe
2852	netsh.exe
4280	netsh.exe
1388	netsh.exe
4776	netsh.exe
3460	netsh.exe
4644	netsh.exe
1260	netsh.exe
1260	netsh.exe
2348	netsh.exe
4336	netsh.exe
3188	netsh.exe
544	netsh.exe
1184	netsh.exe
1456	netsh.exe
3964	netsh.exe
748	netsh.exe
2628	netsh.exe
1832	netsh.exe
1456	netsh.exe
896	netsh.exe
2668	netsh.exe
1872	netsh.exe
3924	netsh.exe
2808	netsh.exe
1020	netsh.exe
3008	netsh.exe
3144	netsh.exe
2668	netsh.exe
3460	netsh.exe
4896	netsh.exe
332	netsh.exe
4080	netsh.exe
4848	netsh.exe
3076	netsh.exe
2800	netsh.exe
896	netsh.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 64 IoCs

pid	Process
2628	Server.exe
544	server.exe
1476	svchost.exe
1164	server.exe
4796	svchost.exe
4784	server.exe
4192	svchost.exe
4408	server.exe
1800	svchost.exe
4592	server.exe
2720	svchost.exe
3840	server.exe
1184	svchost.exe
116	server.exe
2348	svchost.exe
1052	server.exe
1800	svchost.exe
3792	server.exe
5052	Server.exe
4484	svchost.exe
2140	server.exe
2744	svchost.exe
1200	server.exe
1840	svchost.exe
3600	server.exe
4072	svchost.exe
4392	server.exe
2736	svchost.exe
3484	server.exe
3648	svchost.exe
524	server.exe
3384	svchost.exe
1064	server.exe
952	svchost.exe
3964	server.exe
1488	svchost.exe
1716	server.exe
1388	svchost.exe
1620	server.exe
2556	svchost.exe
3424	server.exe
4796	svchost.exe
4776	server.exe
4868	svchost.exe
1872	server.exe
4080	svchost.exe
3828	server.exe
3060	svchost.exe
1388	server.exe
324	svchost.exe
3420	server.exe
3860	svchost.exe
1600	server.exe
1716	svchost.exe
2516	server.exe
3160	svchost.exe
2808	server.exe
4796	svchost.exe
1128	server.exe
1564	svchost.exe
5116	server.exe
3484	svchost.exe
4072	server.exe
2556	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .."	Dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .."	Dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
66	raw.githubusercontent.com
67	raw.githubusercontent.com
63	raw.githubusercontent.com
65	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4556 set thread context of 936	4556	Dllhost.exe	685

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/936-1634-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/936-1635-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/936-1636-0x0000000000400000-0x0000000000472000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	NjRat 0.7D Golden Edition - Rus.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D Golden Edition - Rus.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NjRat 0.7D Golden Edition - Rus.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	NjRat 0.7D Golden Edition - Rus.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D Golden Edition - Rus.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NjRat 0.7D Golden Edition - Rus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	NjRat 0.7D Golden Edition - Rus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	NjRat 0.7D Golden Edition - Rus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	NjRat 0.7D Danger Edition.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D Golden Edition - Rus.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\1	NjRat 0.7D Golden Edition - Rus.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D Golden Edition - Rus.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D Golden Edition - Rus.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NjRat 0.7D Golden Edition - Rus.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D Golden Edition - Rus.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings	NjRat 0.7D Golden Edition - Rus.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000_Classes\Local Settings	NjRat 0.7D Danger Edition.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\NjRat-0.7D-main.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe
544	server.exe

Suspicious behavior: GetForegroundWindowSpam 17 IoCs

pid	Process
3364	NjRat 0.7D Danger Edition.exe
2276	Server.exe
324	Server.exe
4424	server.exe
4556	Dllhost.exe
2704	server.exe
3636	server.exe
1132	server.exe
2628	NjRat 0.7D Golden Edition - Rus.exe
1456	server.exe
4192	server.exe
4776	server.exe
1832	server.exe
3188	server.exe
3188	server.exe
2004	server.exe
4760	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	firefox.exe
Token: SeDebugPrivilege	1928	firefox.exe
Token: SeDebugPrivilege	1928	firefox.exe
Token: 33	2504	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2504	AUDIODG.EXE
Token: SeDebugPrivilege	1928	firefox.exe
Token: SeDebugPrivilege	1928	firefox.exe
Token: SeDebugPrivilege	1928	firefox.exe
Token: SeDebugPrivilege	544	server.exe
Token: SeDebugPrivilege	1164	server.exe
Token: SeDebugPrivilege	4784	server.exe
Token: SeDebugPrivilege	4408	server.exe
Token: SeDebugPrivilege	4592	server.exe
Token: SeDebugPrivilege	3840	server.exe
Token: SeDebugPrivilege	116	server.exe
Token: SeDebugPrivilege	1052	server.exe
Token: SeDebugPrivilege	3792	server.exe
Token: SeDebugPrivilege	2140	server.exe
Token: SeDebugPrivilege	1200	server.exe
Token: SeDebugPrivilege	3600	server.exe
Token: SeDebugPrivilege	4392	server.exe
Token: SeDebugPrivilege	3484	server.exe
Token: SeDebugPrivilege	524	server.exe
Token: SeDebugPrivilege	1064	server.exe
Token: SeDebugPrivilege	1928	firefox.exe
Token: SeDebugPrivilege	3964	server.exe
Token: SeDebugPrivilege	1716	server.exe
Token: SeDebugPrivilege	1620	server.exe
Token: SeDebugPrivilege	3424	server.exe
Token: SeDebugPrivilege	4776	server.exe
Token: SeDebugPrivilege	1872	server.exe
Token: SeDebugPrivilege	3828	server.exe
Token: SeDebugPrivilege	1388	server.exe
Token: SeDebugPrivilege	3420	server.exe
Token: SeDebugPrivilege	1600	server.exe
Token: SeDebugPrivilege	2516	server.exe
Token: SeDebugPrivilege	2808	server.exe
Token: SeDebugPrivilege	1128	server.exe
Token: SeDebugPrivilege	5116	server.exe
Token: SeDebugPrivilege	4072	server.exe
Token: SeDebugPrivilege	2120	server.exe
Token: SeDebugPrivilege	1320	server.exe
Token: SeDebugPrivilege	1476	server.exe
Token: SeDebugPrivilege	4932	server.exe
Token: SeDebugPrivilege	2744	server.exe
Token: SeDebugPrivilege	1064	server.exe
Token: SeDebugPrivilege	776	server.exe
Token: SeDebugPrivilege	2344	server.exe
Token: SeDebugPrivilege	1464	server.exe
Token: SeDebugPrivilege	332	server.exe
Token: SeDebugPrivilege	400	server.exe
Token: SeDebugPrivilege	3600	server.exe
Token: SeDebugPrivilege	1408	server.exe
Token: SeDebugPrivilege	1464	server.exe
Token: SeDebugPrivilege	2900	server.exe
Token: SeDebugPrivilege	2132	server.exe
Token: SeDebugPrivilege	4708	server.exe
Token: SeDebugPrivilege	324	server.exe
Token: SeDebugPrivilege	3520	server.exe
Token: SeDebugPrivilege	2260	server.exe
Token: SeDebugPrivilege	1928	firefox.exe
Token: SeDebugPrivilege	1064	server.exe
Token: SeDebugPrivilege	2704	server.exe
Token: SeDebugPrivilege	3160	server.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
3364	NjRat 0.7D Danger Edition.exe
3364	NjRat 0.7D Danger Edition.exe
3364	NjRat 0.7D Danger Edition.exe
3364	NjRat 0.7D Danger Edition.exe
2628	NjRat 0.7D Golden Edition - Rus.exe
2628	NjRat 0.7D Golden Edition - Rus.exe
2628	NjRat 0.7D Golden Edition - Rus.exe
2628	NjRat 0.7D Golden Edition - Rus.exe
3364	NjRat 0.7D Danger Edition.exe
5040	NjRat 0.7D Danger Edition.exe
5040	NjRat 0.7D Danger Edition.exe
5040	NjRat 0.7D Danger Edition.exe
2148	NjRat 0.7D Green Edition by im523.exe
2148	NjRat 0.7D Green Edition by im523.exe
2148	NjRat 0.7D Green Edition by im523.exe
2628	NjRat 0.7D Golden Edition - Rus.exe
5040	NjRat 0.7D Danger Edition.exe
5040	NjRat 0.7D Danger Edition.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
3364	NjRat 0.7D Danger Edition.exe
3364	NjRat 0.7D Danger Edition.exe
3364	NjRat 0.7D Danger Edition.exe
2628	NjRat 0.7D Golden Edition - Rus.exe
2628	NjRat 0.7D Golden Edition - Rus.exe
2628	NjRat 0.7D Golden Edition - Rus.exe
3364	NjRat 0.7D Danger Edition.exe
5040	NjRat 0.7D Danger Edition.exe
5040	NjRat 0.7D Danger Edition.exe
5040	NjRat 0.7D Danger Edition.exe
2148	NjRat 0.7D Green Edition by im523.exe
2148	NjRat 0.7D Green Edition by im523.exe
2148	NjRat 0.7D Green Edition by im523.exe
2628	NjRat 0.7D Golden Edition - Rus.exe
5040	NjRat 0.7D Danger Edition.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
3364	NjRat 0.7D Danger Edition.exe
3364	NjRat 0.7D Danger Edition.exe
2628	NjRat 0.7D Golden Edition - Rus.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1928	1656	firefox.exe	84
PID 1656 wrote to memory of 1928	1656	firefox.exe	84
PID 1656 wrote to memory of 1928	1656	firefox.exe	84
PID 1656 wrote to memory of 1928	1656	firefox.exe	84
PID 1656 wrote to memory of 1928	1656	firefox.exe	84
PID 1656 wrote to memory of 1928	1656	firefox.exe	84
PID 1656 wrote to memory of 1928	1656	firefox.exe	84
PID 1656 wrote to memory of 1928	1656	firefox.exe	84
PID 1656 wrote to memory of 1928	1656	firefox.exe	84
PID 1656 wrote to memory of 1928	1656	firefox.exe	84
PID 1656 wrote to memory of 1928	1656	firefox.exe	84
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 3288	1928	firefox.exe	85
PID 1928 wrote to memory of 4364	1928	firefox.exe	86
PID 1928 wrote to memory of 4364	1928	firefox.exe	86
PID 1928 wrote to memory of 4364	1928	firefox.exe	86
PID 1928 wrote to memory of 4364	1928	firefox.exe	86
PID 1928 wrote to memory of 4364	1928	firefox.exe	86
PID 1928 wrote to memory of 4364	1928	firefox.exe	86
PID 1928 wrote to memory of 4364	1928	firefox.exe	86
PID 1928 wrote to memory of 4364	1928	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/alyaparan/NjRat-0.7D?tab=readme-ov-file"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/alyaparan/NjRat-0.7D?tab=readme-ov-file
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1668 -prefsLen 27199 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d96d8cab-85c9-42c1-adcb-3183a9ae08c0} 1928 "\\.\pipe\gecko-crash-server-pipe.1928" gpu
    3⤵
    PID:3288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 28119 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02ef56e3-502c-4781-a777-0c24059c2198} 1928 "\\.\pipe\gecko-crash-server-pipe.1928" socket
    3⤵
    PID:4364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3388 -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3400 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0366dd1-a669-4bc7-99d3-6a6bead90314} 1928 "\\.\pipe\gecko-crash-server-pipe.1928" tab
    3⤵
    PID:2588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 3296 -prefsLen 32609 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dde6c80c-39e1-46e1-af48-b3652675e33b} 1928 "\\.\pipe\gecko-crash-server-pipe.1928" tab
    3⤵
    PID:4416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4608 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4624 -prefMapHandle 4620 -prefsLen 32609 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc732c28-07e2-40d6-999c-7a3c6af7a9fa} 1928 "\\.\pipe\gecko-crash-server-pipe.1928" utility
    3⤵
    - Checks processor information in registry
    PID:4388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5408 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32f991bb-272d-49b9-8b32-9213d7d00757} 1928 "\\.\pipe\gecko-crash-server-pipe.1928" tab
    3⤵
    PID:1812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af05473d-5477-4e20-94d7-7f133f2aadd3} 1928 "\\.\pipe\gecko-crash-server-pipe.1928" tab
    3⤵
    PID:2452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 5 -isForBrowser -prefsHandle 5788 -prefMapHandle 5796 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {feb86219-0b7c-4c1e-a62f-a20e64a225ee} 1928 "\\.\pipe\gecko-crash-server-pipe.1928" tab
    3⤵
    PID:3080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4256

C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\NjRat 0.7D Danger Edition.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\NjRat 0.7D Danger Edition.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3364
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\Server.exe"
  2⤵
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\Server.exe"
  2⤵
  PID:4708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x32c 0x2cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\Server.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\Server.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2628
- C:\ProgramData\server.exe
  "C:\ProgramData\server.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4164
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:188
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4592
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1476
  - - C:\ProgramData\server.exe
      "C:\ProgramData\server.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1164
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        5⤵
        
        PID:4496
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        5⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1260
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4796
      - C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        7⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        7⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        7⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        8⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        9⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        9⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1800
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        10⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        11⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        11⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        11⤵
        Modifies Windows Firewall
        
        PID:748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2720
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        13⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1184
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        14⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        15⤵
        
        PID:896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        15⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        15⤵
        Modifies Windows Firewall
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2348
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        16⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        17⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        17⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1840
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        17⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        18⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        19⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        19⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        19⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        20⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        21⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        21⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        22⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        23⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        23⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        23⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1840
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        24⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        25⤵
        Modifies Windows Firewall
        
        PID:4280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        25⤵
        Modifies Windows Firewall
        
        PID:4080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        25⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        26⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        27⤵
        
        PID:896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        27⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        28⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3296
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        29⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        31⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        31⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3384
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        32⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        33⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3296
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        33⤵
        Modifies Windows Firewall
        
        PID:1600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        33⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        34⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        35⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        35⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        35⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        36⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        37⤵
        Modifies Windows Firewall
        
        PID:1600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        37⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        37⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        39⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        39⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2556
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        40⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        41⤵
        Modifies Windows Firewall
        
        PID:4424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        41⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        41⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        42⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        43⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        43⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        45⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        45⤵
        Modifies Windows Firewall
        
        PID:4616
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        45⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        45⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        46⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        47⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        47⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        47⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3060
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        48⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        49⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        49⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        49⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        49⤵
        Executes dropped EXE
        
        PID:324
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        50⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        51⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        51⤵
        Modifies Windows Firewall
        
        PID:2628
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        51⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        51⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        52⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        53⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        53⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        53⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        53⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        54⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        55⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        55⤵
        Modifies Windows Firewall
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        55⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        56⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        57⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        57⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        57⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        57⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        58⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        59⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        59⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        59⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        59⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        60⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        61⤵
        
        PID:748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        61⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        61⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3484
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        62⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        63⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        63⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        63⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        63⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        64⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        65⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        65⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        65⤵
        Modifies Windows Firewall
        
        PID:3924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        65⤵
        
        PID:4256
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        66⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        67⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        67⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        67⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        67⤵
        Checks computer location settings
        
        PID:3420
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        68⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        69⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        69⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        69⤵
        
        PID:3052
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        70⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        71⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        71⤵
        Modifies Windows Firewall
        
        PID:1132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        71⤵
        Checks computer location settings
        
        PID:4572
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        72⤵
        Checks computer location settings
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        73⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        73⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        73⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        73⤵
        
        PID:2736
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        74⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        75⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        75⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        75⤵
        
        PID:2532
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        76⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        77⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        77⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        77⤵
        Checks computer location settings
        
        PID:1772
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        78⤵
        Checks computer location settings
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        79⤵
        
        PID:456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        79⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        79⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        80⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        81⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2808
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        81⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        81⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        81⤵
        Checks computer location settings
        
        PID:2136
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        82⤵
        Checks computer location settings
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        83⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        83⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        83⤵
        Checks computer location settings
        
        PID:216
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        84⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        85⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        85⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        85⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        85⤵
        
        PID:3044
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        86⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        87⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        87⤵
        Modifies Windows Firewall
        
        PID:896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        87⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        87⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        88⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        89⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        89⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4944
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        89⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        90⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        91⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        91⤵
        Modifies Windows Firewall
        
        PID:3188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        91⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        91⤵
        
        PID:1040
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        92⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        93⤵
        Modifies Windows Firewall
        
        PID:3460
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        93⤵
        Modifies Windows Firewall
        
        PID:1872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        93⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        93⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        94⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        95⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        95⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        95⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        95⤵
        
        PID:1148
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        96⤵
        Checks computer location settings
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        97⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        97⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        97⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        97⤵
        
        PID:2388
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        98⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        99⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        99⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        99⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        99⤵
        Checks computer location settings
        
        PID:2088
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        100⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        101⤵
        Modifies Windows Firewall
        
        PID:1260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        101⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        101⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        101⤵
        
        PID:2132
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        102⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        103⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        103⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        103⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        103⤵
        
        PID:3556
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        104⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        105⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        105⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        105⤵
        Modifies Windows Firewall
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        105⤵
        Checks computer location settings
        
        PID:2612
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        106⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        107⤵
        Modifies Windows Firewall
        
        PID:3744
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        107⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        108⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        109⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        109⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        109⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        109⤵
        
        PID:2364
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        110⤵
        Drops startup file
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        111⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        111⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        111⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        111⤵
        
        PID:4640
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        112⤵
        Checks computer location settings
        
        PID:4376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        113⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        113⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        113⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        114⤵
        Drops startup file
        
        PID:5016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        115⤵
        Modifies Windows Firewall
        
        PID:544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        115⤵
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        115⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        116⤵
        Drops startup file
        
        PID:4992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        117⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        117⤵
        
        PID:324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        117⤵
        Modifies Windows Firewall
        
        PID:4960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        117⤵
        Checks computer location settings
        
        PID:4080
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        118⤵
        Checks computer location settings
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        119⤵
        Modifies Windows Firewall
        
        PID:1832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        119⤵
        Modifies Windows Firewall
        
        PID:1020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        119⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        119⤵
        
        PID:2660
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        120⤵
        Drops startup file
        
        PID:2528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        121⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        121⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2308
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        121⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        121⤵
        Checks computer location settings
        
        PID:1744
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        122⤵
        Checks computer location settings
        Drops startup file
        
        PID:1020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        123⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        123⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        123⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        123⤵
        
        PID:4004
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        124⤵
        Checks computer location settings
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        125⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        125⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        125⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        125⤵
        
        PID:3336
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        126⤵
        Drops startup file
        
        PID:700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        127⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        127⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        127⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        127⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        128⤵
        Checks computer location settings
        
        PID:4644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        129⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        129⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        129⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        129⤵
        Checks computer location settings
        
        PID:2652
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        130⤵
        Checks computer location settings
        Drops startup file
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        131⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        131⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        131⤵
        
        PID:2748
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        132⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        133⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        133⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        133⤵
        Modifies Windows Firewall
        
        PID:4116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        133⤵
        
        PID:3744
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        134⤵
        Checks computer location settings
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        135⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        135⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        135⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        136⤵
        Drops startup file
        
        PID:4004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        137⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        137⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        137⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        137⤵
        
        PID:1072
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        138⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        139⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        139⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        139⤵
        
        PID:2652
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        140⤵
        Checks computer location settings
        Drops startup file
        
        PID:4344
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        141⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        141⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        141⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        141⤵
        
        PID:1600
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        142⤵
        Checks computer location settings
        Drops startup file
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        143⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        143⤵
        
        PID:776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        143⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        143⤵
        
        PID:3500
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        144⤵
        Drops startup file
        
        PID:3180
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        145⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4444
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        145⤵
        Modifies Windows Firewall
        
        PID:4780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        145⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        145⤵
        
        PID:2148
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        146⤵
        Drops startup file
        
        PID:2964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        147⤵
        Modifies Windows Firewall
        
        PID:1184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        147⤵
        Modifies Windows Firewall
        
        PID:4848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        147⤵
        Checks computer location settings
        
        PID:2652
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        148⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        149⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        149⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        149⤵
        
        PID:668
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        150⤵
        Drops startup file
        
        PID:2608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        151⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        151⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        151⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        151⤵
        
        PID:848
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        152⤵
        Drops startup file
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4192
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        153⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        153⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        153⤵
        Modifies Windows Firewall
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        153⤵
        Checks computer location settings
        
        PID:4444
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        154⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        155⤵
        Modifies Windows Firewall
        
        PID:4572
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        155⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        155⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        156⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        155⤵
        
        PID:2988
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        156⤵
        Checks computer location settings
        Drops startup file
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        157⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        157⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        157⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        157⤵
        
        PID:4116
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        158⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        159⤵
        Modifies Windows Firewall
        
        PID:4644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        159⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        159⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        159⤵
        
        PID:2748
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        160⤵
        Checks computer location settings
        
        PID:4592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        161⤵
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        161⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        161⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        161⤵
        
        PID:2252
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        162⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        163⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        163⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        163⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        163⤵
        Checks computer location settings
        
        PID:2608
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        164⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        165⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        165⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        165⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        165⤵
        
        PID:2920
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        166⤵
        Drops startup file
        
        PID:4132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        167⤵
        Modifies Windows Firewall
        
        PID:3076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        167⤵
        Modifies Windows Firewall
        
        PID:4964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        167⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        167⤵
        
        PID:2384
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        168⤵
        Checks computer location settings
        Drops startup file
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        169⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        169⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        169⤵
        
        PID:1180
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        170⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        171⤵
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        171⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:332
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        171⤵
        Modifies Windows Firewall
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        171⤵
        
        PID:1760
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        172⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        173⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        173⤵
        
        PID:1800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        173⤵
        
        PID:2608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        173⤵
        
        PID:4200
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        174⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        175⤵
        Modifies Windows Firewall
        
        PID:3044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        175⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        175⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        176⤵
        Checks computer location settings
        Drops startup file
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        177⤵
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        177⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        177⤵
        Checks computer location settings
        
        PID:3336
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        178⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        179⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        179⤵
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        179⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        179⤵
        
        PID:1800
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        180⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        181⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        181⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        181⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        181⤵
        
        PID:1744
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        182⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        183⤵
        
        PID:456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        183⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        183⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        183⤵
        
        PID:1716
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        184⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        185⤵
        Modifies Windows Firewall
        
        PID:2800
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        185⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        185⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        185⤵
        
        PID:2408
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        186⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        187⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        187⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        187⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        187⤵
        
        PID:3180
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        188⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        189⤵
        
        PID:4964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        190⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        189⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        189⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        189⤵
        
        PID:4044
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        190⤵
        
        PID:860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        191⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        191⤵
        Modifies Windows Firewall
        
        PID:4736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        191⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        191⤵
        
        PID:4404
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        192⤵
        
        PID:544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        193⤵
        
        PID:716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        193⤵
        Modifies Windows Firewall
        
        PID:4008
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        193⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        193⤵
        
        PID:964
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        194⤵
        
        PID:984
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        195⤵
        
        PID:116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        195⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        195⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        195⤵
        
        PID:4708
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        196⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        197⤵
        Modifies Windows Firewall
        
        PID:3760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        197⤵
        Modifies Windows Firewall
        
        PID:756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        197⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        197⤵
        
        PID:4360
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        198⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        199⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        199⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        199⤵
        Modifies Windows Firewall
        
        PID:896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        199⤵
        
        PID:644
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        200⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        201⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        201⤵
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        202⤵
        
        PID:332
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        201⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        201⤵
        
        PID:3684
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        202⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        203⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        203⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        203⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        203⤵
        
        PID:2732
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        204⤵
        
        PID:116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        205⤵
        
        PID:544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        205⤵
        Modifies Windows Firewall
        
        PID:2668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        206⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        205⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        205⤵
        
        PID:748
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        206⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        207⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        207⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        207⤵
        Modifies Windows Firewall
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        207⤵
        
        PID:3760
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        208⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        209⤵
        
        PID:748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        209⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        209⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        209⤵
        
        PID:2480
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        210⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        211⤵
        Modifies Windows Firewall
        
        PID:3964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        211⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        211⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        211⤵
        
        PID:3144
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        212⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        213⤵
        
        PID:896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        213⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        213⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        213⤵
        
        PID:952
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        214⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        215⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        215⤵
        Modifies Windows Firewall
        
        PID:3144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        215⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        215⤵
        
        PID:4384
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        216⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        217⤵
        
        PID:544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        217⤵
        Modifies Windows Firewall
        
        PID:2852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        218⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        217⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        217⤵
        
        PID:3336
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        218⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        219⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        219⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        219⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        219⤵
        
        PID:3752
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        220⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        221⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        221⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        221⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        221⤵
        
        PID:3964
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        222⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        223⤵
        
        PID:3436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        224⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        223⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        223⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        223⤵
        
        PID:2256
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        224⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        225⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        225⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        225⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        225⤵
        
        PID:4616
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        226⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        227⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        227⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        227⤵
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        228⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        227⤵
        
        PID:4960
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        228⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        229⤵
        Modifies Windows Firewall
        
        PID:1456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        229⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        229⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        229⤵
        
        PID:2140

C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\Server.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\Server.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\Server.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\Server.exe"
1⤵
PID:1244

C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\NjRat 0.7D Golden Edition - Rus.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\NjRat 0.7D Golden Edition - Rus.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2628
- C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Stubs\mpress.exe
  Stubs\mpress.exe C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Server.exe
  2⤵
  PID:4132

C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Server.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Server.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
PID:2276
- C:\ProgramData\Dllhost.exe
  "C:\ProgramData\Dllhost.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\1108749"
    3⤵
    PID:936

C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Server.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:324

C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\NjRat 0.7D Danger Edition.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\NjRat 0.7D Danger Edition.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5040

C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Green.Edition\NjRat 0.7D Green Edition by im523.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Green.Edition\NjRat 0.7D Green Edition by im523.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Green.Edition\Server.exe"
  2⤵
  PID:3804

C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Server.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Server.exe"
1⤵
PID:4704

C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Server.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Server.exe"
1⤵
PID:3788

C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Server.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\Server.exe"
1⤵
PID:4704

C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Green.Edition\Server.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Green.Edition\Server.exe"
1⤵
PID:3860
- C:\Users\Admin\AppData\Local\Temp\dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dllhost.exe" "dllhost.exe" ENABLE
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe"
    3⤵
    PID:4592

C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Green.Edition\Server.exe
"C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Green.Edition\Server.exe"
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:1164

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3688

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4900

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3600

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2136

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2668

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost.exe

Filesize
43KB

MD5
750fae2045b09b188e150d573a016a6e

SHA1
020aadb57428ca8dd1412127f00aea3bec7e9f85

SHA256
f5def9b6d88842197ccfed618cf272419d6be7d630575813ca1f5ad03231d7ee

SHA512
5e09f4bedbc8cad2aaafaa999de5304da3680072747aca284638a52e2ba957e95d7d2736250d3d369b0b250d7d7f5d63ba4699a808c4727e275befbd6f796e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
408B

MD5
11c924dd7e95b6c1243d3dc6a6cda57d

SHA1
dc5becbb4ba7c94037c13de7163b541f4dfe0b7b

SHA256
18ebe71e164d362b1c0464dda0cb3269b2940c40abd588bde37d92c81263ba52

SHA512
dd021f43ce21d1fb35119fa9303b09281365ca676b6e944de844b397dd407cee9b17b740220bb09d024ffb6e1acf45d4c41ea4101e6cb011f7a1fa9cbf8e2432

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lsy92t1y.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
0925267c61b066e7a3c84ffa46c57b93

SHA1
8978bbfc139b7437431b7baa25c6228a209d2d49

SHA256
3a7386009c922d0854cad81095661311b7da3ef125dc81b187f9453b91d80bea

SHA512
8ed6ce67072f1a833a612465c01eaaafe6b6e1ec014ea2e96a4aeea8a5f9db1a683227eebd09ae202ae8bb86f07224ad938fd1190a8ca25bd1716b1cbe2c09ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.il

Filesize
1.2MB

MD5
7aa6a4cc73ba7053200dfab894223c90

SHA1
bf0be6410a80544f6e3f97ab6f00654fa270b4aa

SHA256
dd2875c98cc37ce3c0f5e48369f04dfff731b8de0d3467d23b85dfba318f4ff2

SHA512
e945649cef285594d7c2ac4141d9e7469e17da9652c89eca2b44edd26445ae93f272cac6a0b9b408166c2af7da61f0b7c1facd5502050003297536cfe0761c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G6P9ZKJ7DOVXH9PRKU33.temp

Filesize
10KB

MD5
6efc183a6c09e9e56c61d92c799e97cd

SHA1
ab723f1071f59ac4b56d1f3addf811016a01c5d1

SHA256
95a6809b0a7b55c7fe45f971088febeaf8ddfa1ddc0d9ae6602d0a5f9a22d804

SHA512
c14f427f038a3e05f3a9ee50e12f91b770518277def8dfdb333bd4a441959b403db377e94e5a7e9dc9cb870b81cf57c8e47f8493675e77d824cb6501c0497caf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\AlternateServices.bin

Filesize
8KB

MD5
1734d6509a2ffc86ccf4e3230fec01c5

SHA1
0610fe3c5d269e711fea3b1968514f087f5c6832

SHA256
2454f107c492aafc481c14b8027aff48550db98df417853336f22951188e28ba

SHA512
08f2bb88c96d768d9d729ce35dc578c48b1c9c8be3f4f879287b735b1c55ac83d91fc1d21f34fc002784ca24ce21d478b24626a78cbbf31b1d769ee4ef0386c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2cdd8cca3c8dbb60587eafd0fc338dff

SHA1
661c9353a45cead06ca667ae19ee0680434df3bf

SHA256
15cb7b6b9f8635f8ffc5758bb8589c0867f1f3ad056731ddce138ff795da20e5

SHA512
72b0d2f170e4b741f75d072e5189da46b3916e659a5a98f98db41654553f359a03aab056c57046d576e22b366f3dae63b52bbad0663da2336959568b5df0101d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\db\data.safe.tmp

Filesize
17KB

MD5
b8ac2504b3ba0f52974958c91d010a6b

SHA1
f5319b4b7a892c10a1cf5394898f03068e01d7d6

SHA256
9db8169fa5bd7ccaeecb087331c7c7223f74f88149e3a19719995b44c681a387

SHA512
da3b4e2841dd7afffaec26ccf677448f335e88dfe3cfeaf8855dd8c4c89193ffb25930648f49f6dd38f32ff5230998de62c01a25baf3ce52577fbb2f8fe2010c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
71efa0307044757c5bfaf8e2a56cbf02

SHA1
27dd7a3fea6a1e58b1911458a2c4378184034c72

SHA256
f73013cc964c22ba4fec5c0373138cadfee685337e9cb887de1df25f9945c537

SHA512
10c0a2d7518e7b9f5fceae4a0b1ce90c2c4eb1fdd8b4eb0605be53c52a1fc6515fda1430d6d02c3f60c0aad6d1e807e84e1b38cd54c4006798bf2e022c784aab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\db\data.safe.tmp

Filesize
17KB

MD5
f3394d1987e439f4d78696b29ccb0870

SHA1
845d2c1a1b71b6fcf305d6190b1fdda5c10b31ca

SHA256
2efb9672dd8e18cfa531919e63ec6ee25b168d5bb5e5804c9d49b1330d9995fd

SHA512
5db81fcc8e9648da3303dc232c79a2ac77e26c6cc4725bb832158585bff2cd34d7b175dedd46b89658935e95bf189a23675b6250f164f35d90739b088c57e862

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\pending_pings\3d6ecbe8-4074-4170-9960-8ccf0dc7ff47

Filesize
982B

MD5
7479f44e2b1ae0d6dd56f20e7b46b103

SHA1
fed04f7a0622078540037471d62fc45e342cffc2

SHA256
4a7396bff3fc9cfb2f1d3ea42e842ad8fd024423c8771aabe18648a023ed445b

SHA512
a05fef17a660d449a2410dbf100ef174feab26e5c6b8b265dc28973667e11efc8efc852bfc86ee04124f2d29b2f24d86eaba93fd86e4198f66044ca1996ac916

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\pending_pings\be4a1127-a4aa-4d1b-a42d-4555c3117ea9

Filesize
671B

MD5
e9385e0150df067070ad2e92f1d0bc7b

SHA1
54bd62099cc07597164cbbd3781d6ee87a16e430

SHA256
e5d205a4cd7d9cb71836e234230322d7c2f7767a75f63830724476ba046e1fad

SHA512
793f37037aa115d3dc7bc0e79540bf47f23f529c1d6c61e0720ce3de95c30d03927a4ccb6f3bbfcb542c8fdcf7dbc5f3deacac5ac81aa58635b82217fc376418

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\datareporting\glean\pending_pings\fd8d6e3e-854c-4b2b-bb8a-adf4d9453182

Filesize
24KB

MD5
72684d90a2ea1250940bef20c4a19719

SHA1
64d4c41ce4b9639ba132c27e41f2e9730b1ec3f6

SHA256
bb73d5338af11ba0927e885a892d840e19c4016b02b3c49434fdda856cfbb346

SHA512
8c6f8f534d1f19f5be459a46170228af889a1678d0cb971ecd6aa601a5cc8a3958f17d2bcce59b76167dafb7b687c5b4e013800ebc0f39265908f6961c2b769f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\prefs-1.js

Filesize
10KB

MD5
e64692dda72749ca11a94500ee2bbd9d

SHA1
868ceb77fb76d32358db48b29c11e67c7a86f417

SHA256
bad59a9fbb6028b811ab295aeb1f09dc3e1e32f6c611042d60f0fd810746cfb1

SHA512
7554399f11eaf841c38628693e682fe17eb178e7ca5ad016163d3ad699458a0fa16b0d3ead9f22964bef08917614c4642f90ffdd68641c11936d72597bc4b19f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\prefs.js

Filesize
9KB

MD5
9fd05be79aac8b92fe34d5479a89d8a1

SHA1
faf79e42b1634b9e12c6ebb1b1cadf1e2d8f5e51

SHA256
221a31ca58ab04f483f4d42ea289d743bec722608d2fa25a3e48c9eb0e2b5e7b

SHA512
7c9fd727e90c34416b68de0fb99f9be36e133d4b491f96e5ebb8bd6868515ee566b03278b4e8ee835fcc8127eaaf5578bd2096867c06cb84c8f62d44658132f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\prefs.js

Filesize
9KB

MD5
956df7921518ec534445071443e9a3f9

SHA1
6bcf3b7c6bc9042744f59de0aace165d4c58b375

SHA256
34b58fdeb4bee8163ba38f3ee56a2b27b682db828151731bd68b571b81babc02

SHA512
b868ad6bae22b6564bead6d0f681aa95b8686b2f30c3e76afad551c65cf9746a41e4c20089c0dcb5b2e96737ed055c5cbb60e05bb0548cc87c9ac7fb5f03f77b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\prefs.js

Filesize
9KB

MD5
fa262a0a3300c31a40dbf988a7e3bcc6

SHA1
46761e63dcab90c8e076be54585b44e6395c8e6b

SHA256
2789a7821114d0ff7aa6e3ea252d7d66fae6321376edc5353136c3a243e68851

SHA512
fffd0167166f3e699e15ec36cfc67b9317cf4ce49a014a9b50d7f47a7738bfa5a191841a1aca132342cb5c810cd892a5e62bc7d3e2c625bb109c7c2a9e3f1509

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
308effd9343bd2a5efdddb4d793cf2b2

SHA1
e58489c663969bf722e7954f3187bcea084ffad1

SHA256
35262daa6923192eb420d9fe4174ed38638573fa2240b775b0dfde55d1d3364e

SHA512
bf1c1fdce4998fa7598f3aea1d6a4a7d6fdfa1a4dbf2afe90590391e706b8b1a5c364fde7874fe94cc97dd18cf03f3a275c93ed41cf0ae6005d13007e2a1bc09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
f48a34ff73d986d736341396f1397c41

SHA1
3f6d9ab0cc47b6aa136b853cffa1aeb61d3e7806

SHA256
a5260e6ee89814be19edf6d02ee1872cfea2b4966ba918d148a4a38c68b33aa3

SHA512
c1b3b223eedf6017ac350ae259769d8cb68fa3178fb7ef00e1704a36c21ce41c67ea627105fef537924dd7c7a2108a5eff4d2c2ad46e4826cf663633df4bb2b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
11fbf12965159b1c4c9c3f77fe60445f

SHA1
6f0741f37dad0501695f5426e32c4d9e9d866b76

SHA256
131b2a3e82af36e3abba4a1edd3ae809a62a281d44409af8bea28c706ca25c88

SHA512
b2c1daef27e014dbb9108cd78c971502929cdac6d5d99a83320d5b3f0375cb78c9c5f4f4f9519e1b3f9b2ffc2707447642c1f5afe481faa70a1a66caa7879328

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lsy92t1y.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
00dc87b2f2c5cdacfbd268e4c5d5c85f

SHA1
f60c519938246003306ac37b2d90c2120744d1d7

SHA256
ddf7d790618422d8d71bb9533c74f6a91e1d9f9bfb7924a75edeb56980e95f9b

SHA512
d33b70460ef4350224d1c964d1f2ccd77a25f44796408ad4d4fec7c1e7ec2d9bb47a95a1f9449f4a79cb885253a7bf98dc3b6132e1324b30710af6a1035a2602

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
047dda8d29bbbf2b6e1c3f4212189eba

SHA1
eb10217bbf887b1ad9b984cb7a559b177e2c762a

SHA256
afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125

SHA512
84c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822

Download Submit
C:\Users\Admin\Desktop\NjRat-0.7D-main\1\NjRat.0.7D.Danger.Edition\Server.exe

Filesize
93KB

MD5
22f82e3d3b099f1117ab77a3fd7df57d

SHA1
4688f6ea677b177e313283dec93d65631cd88225

SHA256
2439176fc5a8da8a26794e2fbfb1edb390df82bbeddc6b5567024b02f037935e

SHA512
7fe7e1ee9973f4ab8771249b2a3eecaf1163b3cbc3ddaf590a8451142c9249d87e290578ed3723217fecb86073b0cad9f6c7a7b5cec7051d2f4288c1ff828b47

Download Submit
C:\Users\Admin\Desktop\NjRat-0.7D-main\NjRat.0.7D.Golden.Edition\stubs\copy.egg

Filesize
4B

MD5
f827cf462f62848df37c5e1e94a4da74

SHA1
88b33e4e12f75ac8bf792aebde41f1a090f3a612

SHA256
3cbc87c7681f34db4617feaa2c8801931bc5e42d8d0f560e756dd4cd92885f18

SHA512
28a91492cbd2575e48007219b2b990a75abbf70708f6b93fe7a7fbd41e310dccad1e7d7fdfa568f4bcb95cfdec21dbcf8a125d683d0b34e53441027f856bb3e1

Download Submit
C:\Users\Admin\Downloads\NjRat-0.BfDS2I_h.7D-main.zip.part

Filesize
43.3MB

MD5
11372ec11b77529f7d4f35b49b148d8a

SHA1
ef241aa786bef1565054bb8ba4fed2fbecf7118d

SHA256
25365152ad36e5dfed6b05153f5c1477160383af2fae36a24d59af14d76f5155

SHA512
89f3059d924a3b0dcba4ec5f2d797a36d42e271dab4fd8e48d3e16125ead38471182e45fd85658e3acc3758039c43e66dc41290e289cdf1d3185e22f1fd526f2

Download Submit
memory/936-1634-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/936-1635-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/936-1636-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2276-1403-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/2276-1404-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

Filesize
624KB

Download
memory/2276-1405-0x0000000005730000-0x0000000005CD6000-memory.dmp

Filesize
5.6MB

Download
memory/2276-1406-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/2628-1231-0x000000001CDF0000-0x000000001CE3C000-memory.dmp

Filesize
304KB

Download
memory/2628-1218-0x000000001C070000-0x000000001C116000-memory.dmp

Filesize
664KB

Download
memory/2628-1389-0x0000000021960000-0x00000000219B2000-memory.dmp

Filesize
328KB

Download
memory/2628-1233-0x00000000216A0000-0x00000000216B2000-memory.dmp

Filesize
72KB

Download
memory/2628-1230-0x00000000019D0000-0x00000000019D8000-memory.dmp

Filesize
32KB

Download
memory/2628-1220-0x000000001CB60000-0x000000001CBFC000-memory.dmp

Filesize
624KB

Download
memory/2628-1219-0x000000001C5F0000-0x000000001CABE000-memory.dmp

Filesize
4.8MB

Download
memory/3364-616-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-604-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-617-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-618-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-619-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-615-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-620-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-621-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-622-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-614-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-613-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-612-0x0000000075182000-0x0000000075183000-memory.dmp

Filesize
4KB

Download
memory/3364-611-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-628-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-600-0x0000000075182000-0x0000000075183000-memory.dmp

Filesize
4KB

Download
memory/3364-601-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-603-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-602-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3364-1523-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4132-1437-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4132-1433-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4556-1470-0x0000000006CD0000-0x0000000006CE8000-memory.dmp

Filesize
96KB

Download
memory/4556-1469-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/4556-1633-0x0000000000BD0000-0x0000000000C16000-memory.dmp

Filesize
280KB

Download
memory/4556-1458-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads