Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 23:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe
-
Size
606KB
-
MD5
f70ddc97b207adabe689119ffdb417fb
-
SHA1
ab4eb75749181630430d5b8ef89561c960b2845b
-
SHA256
80c67c07d6633052260435fa5e44b50d4f72c6cc174c5fdbcc75c88e01506788
-
SHA512
8d56f94912ec9a839737c3cf43c50d4b9baa434c7b8d4812a2390c19473fd6be0d3ce234f7d7de8b1152e93678647200ca91c27a3c472926da8b5212db0bdf1b
-
SSDEEP
12288:1GP7WUtpdOy2R+9zR2yXuhcW3PtPgRWkFouZRLBKf1zg2/nBL:1GXtPB9NhXuWYtPrkFLBcU8BL
Score
8/10
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe -
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe -
Executes dropped EXE 64 IoCs
pid Process 2240 server.exe 2868 server.exe 2492 server.exe 2288 server.exe 348 server.exe 1388 server.exe 2216 server.exe 1500 server.exe 3000 server.exe 1636 server.exe 2280 server.exe 1204 server.exe 2872 server.exe 2768 server.exe 2976 server.exe 3068 server.exe 1256 server.exe 2964 server.exe 2212 server.exe 2552 server.exe 848 server.exe 1680 server.exe 2488 server.exe 1816 server.exe 2012 server.exe 2744 server.exe 1568 server.exe 2988 server.exe 2760 server.exe 444 server.exe 348 server.exe 1388 server.exe 1696 server.exe 2808 server.exe 772 server.exe 2016 server.exe 1612 server.exe 1148 server.exe 2856 server.exe 2428 server.exe 1012 server.exe 692 server.exe 2912 server.exe 2656 server.exe 2920 server.exe 1800 server.exe 1840 server.exe 2024 server.exe 2392 server.exe 2944 server.exe 1984 server.exe 2624 server.exe 2620 server.exe 596 server.exe 2604 server.exe 1512 server.exe 348 server.exe 416 server.exe 1912 server.exe 1772 server.exe 772 server.exe 876 server.exe 2700 server.exe 2472 server.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe -
resource yara_rule behavioral1/memory/632-3-0x0000000000300000-0x0000000000311000-memory.dmp upx behavioral1/memory/632-2-0x0000000000300000-0x0000000000311000-memory.dmp upx behavioral1/memory/632-1-0x0000000000300000-0x0000000000311000-memory.dmp upx behavioral1/memory/632-0-0x0000000000300000-0x0000000000311000-memory.dmp upx behavioral1/memory/632-4-0x000000003A740000-0x000000003A778000-memory.dmp upx behavioral1/memory/632-25-0x0000000000300000-0x0000000000311000-memory.dmp upx behavioral1/memory/2240-31-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2240-30-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2240-29-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2240-28-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2240-32-0x000000003C140000-0x000000003C178000-memory.dmp upx behavioral1/memory/2240-42-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2868-48-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2868-47-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2868-49-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2868-50-0x00000000003C0000-0x00000000003F8000-memory.dmp upx behavioral1/memory/2868-60-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2492-66-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2492-65-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2492-64-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2492-67-0x000000003C290000-0x000000003C2C8000-memory.dmp upx behavioral1/memory/2492-76-0x0000000000270000-0x0000000000281000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 632 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 2240 server.exe 2868 server.exe 2492 server.exe 2288 server.exe 348 server.exe 1388 server.exe 2216 server.exe 1500 server.exe 3000 server.exe 1636 server.exe 2280 server.exe 1204 server.exe 2872 server.exe 2768 server.exe 2976 server.exe 3068 server.exe 1256 server.exe 2964 server.exe 2212 server.exe 2552 server.exe 848 server.exe 1680 server.exe 2488 server.exe 1816 server.exe 2012 server.exe 2744 server.exe 1568 server.exe 2988 server.exe 2760 server.exe 444 server.exe 348 server.exe 1388 server.exe 1696 server.exe 2808 server.exe 772 server.exe 2016 server.exe 1612 server.exe 1148 server.exe 2856 server.exe 2428 server.exe 1012 server.exe 692 server.exe 2912 server.exe 2656 server.exe 2920 server.exe 1800 server.exe 1840 server.exe 2024 server.exe 2392 server.exe 2944 server.exe 1984 server.exe 2624 server.exe 2620 server.exe 596 server.exe 2604 server.exe 1512 server.exe 348 server.exe 416 server.exe 1912 server.exe 1772 server.exe 772 server.exe 876 server.exe 2700 server.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 632 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 2240 server.exe 2868 server.exe 2492 server.exe 2288 server.exe 348 server.exe 1388 server.exe 2216 server.exe 1500 server.exe 3000 server.exe 1636 server.exe 2280 server.exe 1204 server.exe 2872 server.exe 2768 server.exe 2976 server.exe 3068 server.exe 1256 server.exe 2964 server.exe 2212 server.exe 2552 server.exe 848 server.exe 1680 server.exe 2488 server.exe 1816 server.exe 2012 server.exe 2744 server.exe 1568 server.exe 2988 server.exe 2760 server.exe 444 server.exe 348 server.exe 1388 server.exe 1696 server.exe 2808 server.exe 772 server.exe 2016 server.exe 1612 server.exe 1148 server.exe 2856 server.exe 2428 server.exe 1012 server.exe 692 server.exe 2912 server.exe 2656 server.exe 2920 server.exe 1800 server.exe 1840 server.exe 2024 server.exe 2392 server.exe 2944 server.exe 1984 server.exe 2624 server.exe 2620 server.exe 596 server.exe 2604 server.exe 1512 server.exe 348 server.exe 416 server.exe 1912 server.exe 1772 server.exe 772 server.exe 876 server.exe 2700 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 632 wrote to memory of 1236 632 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 21 PID 632 wrote to memory of 1236 632 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 21 PID 632 wrote to memory of 1236 632 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 21 PID 632 wrote to memory of 1236 632 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 21 PID 632 wrote to memory of 2240 632 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 30 PID 632 wrote to memory of 2240 632 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 30 PID 632 wrote to memory of 2240 632 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 30 PID 632 wrote to memory of 2240 632 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 30 PID 2240 wrote to memory of 1236 2240 server.exe 21 PID 2240 wrote to memory of 1236 2240 server.exe 21 PID 2240 wrote to memory of 1236 2240 server.exe 21 PID 2240 wrote to memory of 1236 2240 server.exe 21 PID 2240 wrote to memory of 2868 2240 server.exe 31 PID 2240 wrote to memory of 2868 2240 server.exe 31 PID 2240 wrote to memory of 2868 2240 server.exe 31 PID 2240 wrote to memory of 2868 2240 server.exe 31 PID 2868 wrote to memory of 1236 2868 server.exe 21 PID 2868 wrote to memory of 1236 2868 server.exe 21 PID 2868 wrote to memory of 1236 2868 server.exe 21 PID 2868 wrote to memory of 1236 2868 server.exe 21 PID 2868 wrote to memory of 2492 2868 server.exe 32 PID 2868 wrote to memory of 2492 2868 server.exe 32 PID 2868 wrote to memory of 2492 2868 server.exe 32 PID 2868 wrote to memory of 2492 2868 server.exe 32 PID 2492 wrote to memory of 1236 2492 server.exe 21 PID 2492 wrote to memory of 1236 2492 server.exe 21 PID 2492 wrote to memory of 1236 2492 server.exe 21 PID 2492 wrote to memory of 1236 2492 server.exe 21 PID 2492 wrote to memory of 2288 2492 server.exe 33 PID 2492 wrote to memory of 2288 2492 server.exe 33 PID 2492 wrote to memory of 2288 2492 server.exe 33 PID 2492 wrote to memory of 2288 2492 server.exe 33 PID 2288 wrote to memory of 1236 2288 server.exe 21 PID 2288 wrote to memory of 1236 2288 server.exe 21 PID 2288 wrote to memory of 1236 2288 server.exe 21 PID 2288 wrote to memory of 1236 2288 server.exe 21 PID 2288 wrote to memory of 348 2288 server.exe 34 PID 2288 wrote to memory of 348 2288 server.exe 34 PID 2288 wrote to memory of 348 2288 server.exe 34 PID 2288 wrote to memory of 348 2288 server.exe 34 PID 348 wrote to memory of 1236 348 server.exe 21 PID 348 wrote to memory of 1236 348 server.exe 21 PID 348 wrote to memory of 1236 348 server.exe 21 PID 348 wrote to memory of 1236 348 server.exe 21 PID 348 wrote to memory of 1388 348 server.exe 35 PID 348 wrote to memory of 1388 348 server.exe 35 PID 348 wrote to memory of 1388 348 server.exe 35 PID 348 wrote to memory of 1388 348 server.exe 35 PID 1388 wrote to memory of 1236 1388 server.exe 21 PID 1388 wrote to memory of 1236 1388 server.exe 21 PID 1388 wrote to memory of 1236 1388 server.exe 21 PID 1388 wrote to memory of 1236 1388 server.exe 21 PID 1388 wrote to memory of 2216 1388 server.exe 36 PID 1388 wrote to memory of 2216 1388 server.exe 36 PID 1388 wrote to memory of 2216 1388 server.exe 36 PID 1388 wrote to memory of 2216 1388 server.exe 36 PID 2216 wrote to memory of 1236 2216 server.exe 21 PID 2216 wrote to memory of 1236 2216 server.exe 21 PID 2216 wrote to memory of 1236 2216 server.exe 21 PID 2216 wrote to memory of 1236 2216 server.exe 21 PID 2216 wrote to memory of 1500 2216 server.exe 37 PID 2216 wrote to memory of 1500 2216 server.exe 37 PID 2216 wrote to memory of 1500 2216 server.exe 37 PID 2216 wrote to memory of 1500 2216 server.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Users\Admin\AppData\Local\Temp\f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"7⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"10⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1500 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"11⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3000 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"12⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1636 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2280 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1204 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2872 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"16⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2768 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"17⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2976 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3068 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1256 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2964 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"21⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2212 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2552 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"23⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:848 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1680 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2488 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"26⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1816 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"27⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2012 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2744 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1568 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2988 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2760 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"32⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:444 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:348 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"34⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1388 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1696 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2808 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:772 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"38⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2016 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"39⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1612 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"40⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1148 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2856 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"42⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2428 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1012 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:692 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"45⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2912 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"46⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2656 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2920 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"48⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1800 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1840 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"50⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2024 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2392 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"52⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2944 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1984 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2624 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"55⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2620 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"56⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:596 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2604 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1512 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:348 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:416 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1912 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"62⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1772 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"63⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:772 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"64⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:876 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2700 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"66⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"67⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"68⤵PID:2684
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"69⤵PID:1376
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"70⤵PID:2092
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"71⤵PID:2356
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"72⤵PID:1700
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"73⤵PID:1404
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"74⤵PID:2228
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"75⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks processor information in registry
PID:2104 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"76⤵PID:1724
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"77⤵PID:3044
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"78⤵
- Adds Run key to start application
- Enumerates system info in registry
PID:2800 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"79⤵PID:2240
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"80⤵PID:2788
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"81⤵PID:1200
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"82⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"83⤵
- Enumerates system info in registry
PID:2224 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"84⤵PID:1248
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"85⤵PID:2592
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"86⤵
- Enumerates system info in registry
PID:1748 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"87⤵PID:1404
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"88⤵PID:1032
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"89⤵PID:2024
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"90⤵PID:2740
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"91⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"92⤵PID:2088
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"93⤵PID:2084
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"94⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- Checks processor information in registry
PID:1428 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"95⤵PID:2972
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"96⤵
- Checks processor information in registry
PID:1564 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"97⤵
- Checks processor information in registry
PID:2356 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"98⤵
- Checks processor information in registry
PID:1388 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"99⤵PID:2216
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"100⤵
- Adds Run key to start application
PID:1708 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"101⤵PID:1196
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"102⤵
- Checks processor information in registry
PID:2708 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"103⤵
- Adds Run key to start application
- Checks processor information in registry
PID:1252 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"104⤵PID:2588
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"105⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
PID:2844 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"106⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2948 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"107⤵PID:2936
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"108⤵PID:2276
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"109⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"110⤵PID:848
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"111⤵PID:1768
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"112⤵
- Enumerates system info in registry
PID:1548 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"113⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"114⤵PID:2752
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"115⤵
- Checks BIOS information in registry
PID:3056 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"116⤵PID:2724
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"117⤵PID:2640
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"118⤵
- Checks BIOS information in registry
PID:2672 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"119⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:596 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"120⤵
- Adds Run key to start application
PID:2916 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"121⤵
- Checks BIOS information in registry
PID:2336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-