Overview
overview
10Static
static
102004120622...��.htm
windows7-x64
32004120622...��.htm
windows10-2004-x64
32004120622...nt.dll
windows7-x64
32004120622...nt.dll
windows10-2004-x64
32004120622...nt.exe
windows7-x64
102004120622...nt.exe
windows10-2004-x64
102004120622...ME.vbs
windows7-x64
12004120622...ME.vbs
windows10-2004-x64
12004120622...up.ps1
windows7-x64
62004120622...up.ps1
windows10-2004-x64
62004120622...en.ps1
windows7-x64
32004120622...en.ps1
windows10-2004-x64
32004120622...er.exe
windows7-x64
102004120622...er.exe
windows10-2004-x64
102004120622...��.url
windows7-x64
12004120622...��.url
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
28/11/2024, 10:18
Behavioral task
behavioral1
Sample
20041206224715280/77169.org˵.htm
Resource
win7-20240729-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
20041206224715280/77169.org˵.htm
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral3
Sample
20041206224715280/Client.dll
Resource
win7-20240708-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
20041206224715280/Client.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
20041206224715280/Client.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral6
Sample
20041206224715280/Client.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral7
Sample
20041206224715280/cgilogger/README.vbs
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
20041206224715280/cgilogger/README.vbs
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
20041206224715280/cgilogger/setup.ps1
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral10
Sample
20041206224715280/cgilogger/setup.ps1
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral11
Sample
20041206224715280/cgilogger/subseven.ps1
Resource
win7-20241023-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral12
Sample
20041206224715280/cgilogger/subseven.ps1
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral13
Sample
20041206224715280/server.exe
Resource
win7-20240729-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral14
Sample
20041206224715280/server.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral15
Sample
20041206224715280/ĺڿͬ.url
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral16
Sample
20041206224715280/ĺڿͬ.url
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
20041206224715280/server.exe
-
Size
217KB
-
MD5
b085280cbbf3d0fd3a5464baeefa1ead
-
SHA1
27ac1205e90a4a5036cbd776dbd16fc1b6857b8f
-
SHA256
676cc781d63343a5511666f88409822d87fee0f5680b4d9281527cd67aed1983
-
SHA512
b90715c6cbcf2070ebbebe04026a724230f7a2c69504e3a716ae01e9e541bf9450d75145cdbeff1c7b51ab22b4d05ea86303af779b226671724d99a1f18587e2
-
SSDEEP
6144:dteS9JWLN2dAlHz+kjuPyD6takN0RrjBAci:/9JsIdAlHz+9fSjBAN
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 64 IoCs
resource yara_rule behavioral13/files/0x000a0000000122d0-1.dat modiloader_stage2 behavioral13/memory/2124-8-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2308-17-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2364-15-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1656-21-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2472-25-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/880-29-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2832-33-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2784-37-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1272-41-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2868-45-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2964-49-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2800-53-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2624-57-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2656-61-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1252-65-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2512-69-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/596-73-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1044-77-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/3016-81-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2612-85-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2944-89-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/3032-90-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/3024-91-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1180-92-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1660-93-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/3068-94-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/3040-95-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2564-96-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2056-97-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2064-98-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1116-99-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1448-100-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/108-101-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2140-102-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1164-103-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1560-104-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1276-105-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1652-106-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/372-107-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1764-108-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1744-109-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1500-110-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1016-111-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2580-112-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2476-113-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1736-114-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2360-115-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1720-116-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2548-117-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/780-118-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2712-119-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2088-120-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2212-121-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/764-122-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2068-123-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1064-124-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1208-125-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1644-126-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1440-127-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2464-128-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1632-129-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/2216-130-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral13/memory/1588-131-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 -
Executes dropped EXE 64 IoCs
pid Process 2364 regscanr.exe 2308 regscanr.exe 1656 regscanr.exe 2472 regscanr.exe 880 regscanr.exe 2832 regscanr.exe 2784 regscanr.exe 1272 regscanr.exe 2868 regscanr.exe 2964 regscanr.exe 2800 regscanr.exe 2624 regscanr.exe 2656 regscanr.exe 1252 regscanr.exe 2512 regscanr.exe 596 regscanr.exe 1044 regscanr.exe 3016 regscanr.exe 2612 regscanr.exe 2944 regscanr.exe 3032 regscanr.exe 3024 regscanr.exe 1180 regscanr.exe 1660 regscanr.exe 3068 regscanr.exe 3040 regscanr.exe 2564 regscanr.exe 2056 regscanr.exe 2064 regscanr.exe 1116 regscanr.exe 1448 regscanr.exe 108 regscanr.exe 2140 regscanr.exe 1164 regscanr.exe 1560 regscanr.exe 1276 regscanr.exe 1652 regscanr.exe 372 regscanr.exe 1764 regscanr.exe 1744 regscanr.exe 1500 regscanr.exe 1016 regscanr.exe 2580 regscanr.exe 2476 regscanr.exe 1736 regscanr.exe 2360 regscanr.exe 1720 regscanr.exe 2548 regscanr.exe 780 regscanr.exe 2712 regscanr.exe 2088 regscanr.exe 2212 regscanr.exe 764 regscanr.exe 2068 regscanr.exe 1064 regscanr.exe 1208 regscanr.exe 1644 regscanr.exe 1440 regscanr.exe 2464 regscanr.exe 1632 regscanr.exe 2216 regscanr.exe 1588 regscanr.exe 1612 regscanr.exe 2756 regscanr.exe -
Loads dropped DLL 64 IoCs
pid Process 2124 server.exe 2124 server.exe 2364 regscanr.exe 2364 regscanr.exe 2308 regscanr.exe 2308 regscanr.exe 1656 regscanr.exe 1656 regscanr.exe 2472 regscanr.exe 2472 regscanr.exe 880 regscanr.exe 880 regscanr.exe 2832 regscanr.exe 2832 regscanr.exe 2784 regscanr.exe 2784 regscanr.exe 1272 regscanr.exe 1272 regscanr.exe 2868 regscanr.exe 2868 regscanr.exe 2964 regscanr.exe 2964 regscanr.exe 2800 regscanr.exe 2800 regscanr.exe 2624 regscanr.exe 2624 regscanr.exe 2656 regscanr.exe 2656 regscanr.exe 1252 regscanr.exe 1252 regscanr.exe 2512 regscanr.exe 2512 regscanr.exe 596 regscanr.exe 596 regscanr.exe 1044 regscanr.exe 1044 regscanr.exe 3016 regscanr.exe 3016 regscanr.exe 2612 regscanr.exe 2612 regscanr.exe 2944 regscanr.exe 2944 regscanr.exe 3032 regscanr.exe 3032 regscanr.exe 3024 regscanr.exe 3024 regscanr.exe 1180 regscanr.exe 1180 regscanr.exe 1660 regscanr.exe 1660 regscanr.exe 3068 regscanr.exe 3068 regscanr.exe 3040 regscanr.exe 3040 regscanr.exe 2564 regscanr.exe 2564 regscanr.exe 2056 regscanr.exe 2056 regscanr.exe 2064 regscanr.exe 2064 regscanr.exe 1116 regscanr.exe 1116 regscanr.exe 1448 regscanr.exe 1448 regscanr.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2124 server.exe 2124 server.exe 2124 server.exe 2364 regscanr.exe 2364 regscanr.exe 2364 regscanr.exe 2308 regscanr.exe 2308 regscanr.exe 2308 regscanr.exe 1656 regscanr.exe 1656 regscanr.exe 1656 regscanr.exe 2472 regscanr.exe 2472 regscanr.exe 2472 regscanr.exe 880 regscanr.exe 880 regscanr.exe 880 regscanr.exe 2832 regscanr.exe 2832 regscanr.exe 2832 regscanr.exe 2784 regscanr.exe 2784 regscanr.exe 2784 regscanr.exe 1272 regscanr.exe 1272 regscanr.exe 1272 regscanr.exe 2868 regscanr.exe 2868 regscanr.exe 2868 regscanr.exe 2964 regscanr.exe 2964 regscanr.exe 2964 regscanr.exe 2800 regscanr.exe 2800 regscanr.exe 2800 regscanr.exe 2624 regscanr.exe 2624 regscanr.exe 2624 regscanr.exe 2656 regscanr.exe 2656 regscanr.exe 2656 regscanr.exe 1252 regscanr.exe 1252 regscanr.exe 1252 regscanr.exe 2512 regscanr.exe 2512 regscanr.exe 2512 regscanr.exe 596 regscanr.exe 596 regscanr.exe 596 regscanr.exe 1044 regscanr.exe 1044 regscanr.exe 1044 regscanr.exe 3016 regscanr.exe 3016 regscanr.exe 3016 regscanr.exe 2612 regscanr.exe 2612 regscanr.exe 2612 regscanr.exe 2944 regscanr.exe 2944 regscanr.exe 2944 regscanr.exe 3032 regscanr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2124 server.exe Token: SeDebugPrivilege 2124 server.exe Token: SeDebugPrivilege 2364 regscanr.exe Token: SeDebugPrivilege 2364 regscanr.exe Token: SeDebugPrivilege 2308 regscanr.exe Token: SeDebugPrivilege 2308 regscanr.exe Token: SeDebugPrivilege 1656 regscanr.exe Token: SeDebugPrivilege 1656 regscanr.exe Token: SeDebugPrivilege 2472 regscanr.exe Token: SeDebugPrivilege 2472 regscanr.exe Token: SeDebugPrivilege 880 regscanr.exe Token: SeDebugPrivilege 880 regscanr.exe Token: SeDebugPrivilege 2832 regscanr.exe Token: SeDebugPrivilege 2832 regscanr.exe Token: SeDebugPrivilege 2784 regscanr.exe Token: SeDebugPrivilege 2784 regscanr.exe Token: SeDebugPrivilege 1272 regscanr.exe Token: SeDebugPrivilege 1272 regscanr.exe Token: SeDebugPrivilege 2868 regscanr.exe Token: SeDebugPrivilege 2868 regscanr.exe Token: SeDebugPrivilege 2964 regscanr.exe Token: SeDebugPrivilege 2964 regscanr.exe Token: SeDebugPrivilege 2800 regscanr.exe Token: SeDebugPrivilege 2800 regscanr.exe Token: SeDebugPrivilege 2624 regscanr.exe Token: SeDebugPrivilege 2624 regscanr.exe Token: SeDebugPrivilege 2656 regscanr.exe Token: SeDebugPrivilege 2656 regscanr.exe Token: SeDebugPrivilege 1252 regscanr.exe Token: SeDebugPrivilege 1252 regscanr.exe Token: SeDebugPrivilege 2512 regscanr.exe Token: SeDebugPrivilege 2512 regscanr.exe Token: SeDebugPrivilege 596 regscanr.exe Token: SeDebugPrivilege 596 regscanr.exe Token: SeDebugPrivilege 1044 regscanr.exe Token: SeDebugPrivilege 1044 regscanr.exe Token: SeDebugPrivilege 3016 regscanr.exe Token: SeDebugPrivilege 3016 regscanr.exe Token: SeDebugPrivilege 2612 regscanr.exe Token: SeDebugPrivilege 2612 regscanr.exe Token: SeDebugPrivilege 2944 regscanr.exe Token: SeDebugPrivilege 2944 regscanr.exe Token: SeDebugPrivilege 3032 regscanr.exe Token: SeDebugPrivilege 3032 regscanr.exe Token: SeDebugPrivilege 3024 regscanr.exe Token: SeDebugPrivilege 3024 regscanr.exe Token: SeDebugPrivilege 1180 regscanr.exe Token: SeDebugPrivilege 1180 regscanr.exe Token: SeDebugPrivilege 1660 regscanr.exe Token: SeDebugPrivilege 1660 regscanr.exe Token: SeDebugPrivilege 3068 regscanr.exe Token: SeDebugPrivilege 3068 regscanr.exe Token: SeDebugPrivilege 3040 regscanr.exe Token: SeDebugPrivilege 3040 regscanr.exe Token: SeDebugPrivilege 2564 regscanr.exe Token: SeDebugPrivilege 2564 regscanr.exe Token: SeDebugPrivilege 2056 regscanr.exe Token: SeDebugPrivilege 2056 regscanr.exe Token: SeDebugPrivilege 2064 regscanr.exe Token: SeDebugPrivilege 2064 regscanr.exe Token: SeDebugPrivilege 1116 regscanr.exe Token: SeDebugPrivilege 1116 regscanr.exe Token: SeDebugPrivilege 1448 regscanr.exe Token: SeDebugPrivilege 1448 regscanr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2364 2124 server.exe 30 PID 2124 wrote to memory of 2364 2124 server.exe 30 PID 2124 wrote to memory of 2364 2124 server.exe 30 PID 2124 wrote to memory of 2364 2124 server.exe 30 PID 2364 wrote to memory of 2308 2364 regscanr.exe 31 PID 2364 wrote to memory of 2308 2364 regscanr.exe 31 PID 2364 wrote to memory of 2308 2364 regscanr.exe 31 PID 2364 wrote to memory of 2308 2364 regscanr.exe 31 PID 2308 wrote to memory of 1656 2308 regscanr.exe 32 PID 2308 wrote to memory of 1656 2308 regscanr.exe 32 PID 2308 wrote to memory of 1656 2308 regscanr.exe 32 PID 2308 wrote to memory of 1656 2308 regscanr.exe 32 PID 1656 wrote to memory of 2472 1656 regscanr.exe 33 PID 1656 wrote to memory of 2472 1656 regscanr.exe 33 PID 1656 wrote to memory of 2472 1656 regscanr.exe 33 PID 1656 wrote to memory of 2472 1656 regscanr.exe 33 PID 2472 wrote to memory of 880 2472 regscanr.exe 34 PID 2472 wrote to memory of 880 2472 regscanr.exe 34 PID 2472 wrote to memory of 880 2472 regscanr.exe 34 PID 2472 wrote to memory of 880 2472 regscanr.exe 34 PID 880 wrote to memory of 2832 880 regscanr.exe 35 PID 880 wrote to memory of 2832 880 regscanr.exe 35 PID 880 wrote to memory of 2832 880 regscanr.exe 35 PID 880 wrote to memory of 2832 880 regscanr.exe 35 PID 2832 wrote to memory of 2784 2832 regscanr.exe 36 PID 2832 wrote to memory of 2784 2832 regscanr.exe 36 PID 2832 wrote to memory of 2784 2832 regscanr.exe 36 PID 2832 wrote to memory of 2784 2832 regscanr.exe 36 PID 2784 wrote to memory of 1272 2784 regscanr.exe 37 PID 2784 wrote to memory of 1272 2784 regscanr.exe 37 PID 2784 wrote to memory of 1272 2784 regscanr.exe 37 PID 2784 wrote to memory of 1272 2784 regscanr.exe 37 PID 1272 wrote to memory of 2868 1272 regscanr.exe 38 PID 1272 wrote to memory of 2868 1272 regscanr.exe 38 PID 1272 wrote to memory of 2868 1272 regscanr.exe 38 PID 1272 wrote to memory of 2868 1272 regscanr.exe 38 PID 2868 wrote to memory of 2964 2868 regscanr.exe 39 PID 2868 wrote to memory of 2964 2868 regscanr.exe 39 PID 2868 wrote to memory of 2964 2868 regscanr.exe 39 PID 2868 wrote to memory of 2964 2868 regscanr.exe 39 PID 2964 wrote to memory of 2800 2964 regscanr.exe 40 PID 2964 wrote to memory of 2800 2964 regscanr.exe 40 PID 2964 wrote to memory of 2800 2964 regscanr.exe 40 PID 2964 wrote to memory of 2800 2964 regscanr.exe 40 PID 2800 wrote to memory of 2624 2800 regscanr.exe 41 PID 2800 wrote to memory of 2624 2800 regscanr.exe 41 PID 2800 wrote to memory of 2624 2800 regscanr.exe 41 PID 2800 wrote to memory of 2624 2800 regscanr.exe 41 PID 2624 wrote to memory of 2656 2624 regscanr.exe 42 PID 2624 wrote to memory of 2656 2624 regscanr.exe 42 PID 2624 wrote to memory of 2656 2624 regscanr.exe 42 PID 2624 wrote to memory of 2656 2624 regscanr.exe 42 PID 2656 wrote to memory of 1252 2656 regscanr.exe 43 PID 2656 wrote to memory of 1252 2656 regscanr.exe 43 PID 2656 wrote to memory of 1252 2656 regscanr.exe 43 PID 2656 wrote to memory of 1252 2656 regscanr.exe 43 PID 1252 wrote to memory of 2512 1252 regscanr.exe 44 PID 1252 wrote to memory of 2512 1252 regscanr.exe 44 PID 1252 wrote to memory of 2512 1252 regscanr.exe 44 PID 1252 wrote to memory of 2512 1252 regscanr.exe 44 PID 2512 wrote to memory of 596 2512 regscanr.exe 45 PID 2512 wrote to memory of 596 2512 regscanr.exe 45 PID 2512 wrote to memory of 596 2512 regscanr.exe 45 PID 2512 wrote to memory of 596 2512 regscanr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\20041206224715280\server.exe"C:\Users\Admin\AppData\Local\Temp\20041206224715280\server.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1116 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe33⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe34⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe35⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe36⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe37⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe38⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe39⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe40⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe41⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe42⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe43⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe44⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe45⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe46⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe47⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe48⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe49⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe50⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe51⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe52⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe53⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe54⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe55⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe56⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe57⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe58⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe59⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe60⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe61⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe62⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe63⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe64⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe65⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe66⤵PID:2192
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe67⤵PID:2844
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe68⤵PID:2472
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe69⤵PID:1484
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe70⤵PID:2768
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe71⤵PID:2832
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe72⤵PID:2760
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe73⤵PID:2864
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe74⤵PID:2276
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe75⤵PID:320
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe76⤵PID:2652
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe77⤵PID:2852
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe78⤵PID:2620
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe79⤵PID:2800
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe80⤵PID:2692
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe81⤵PID:380
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe82⤵PID:1912
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe83⤵PID:2932
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe84⤵PID:1052
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe85⤵PID:2512
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe86⤵PID:1680
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe87⤵PID:1972
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe88⤵PID:2728
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe89⤵PID:2816
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe90⤵PID:3016
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe91⤵PID:2936
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe92⤵PID:2908
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe93⤵PID:2544
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe94⤵PID:1596
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe95⤵PID:2020
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe96⤵PID:3024
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe97⤵PID:1180
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe98⤵PID:1660
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe99⤵PID:3068
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe100⤵PID:3040
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe101⤵PID:2564
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe102⤵PID:2056
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe103⤵PID:2064
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe104⤵PID:1116
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe105⤵PID:1448
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe106⤵PID:2188
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe107⤵PID:2164
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe108⤵PID:644
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe109⤵PID:952
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe110⤵PID:1176
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe111⤵PID:1096
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe112⤵PID:1960
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe113⤵PID:1768
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe114⤵PID:1508
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe115⤵PID:276
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe116⤵
- Adds Run key to start application
PID:616 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe117⤵PID:544
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe118⤵PID:1816
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe119⤵PID:692
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe120⤵PID:1732
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe121⤵PID:2100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-