Overview
overview
10Static
static
102004120622...��.htm
windows7-x64
32004120622...��.htm
windows10-2004-x64
32004120622...nt.dll
windows7-x64
32004120622...nt.dll
windows10-2004-x64
32004120622...nt.exe
windows7-x64
102004120622...nt.exe
windows10-2004-x64
102004120622...ME.vbs
windows7-x64
12004120622...ME.vbs
windows10-2004-x64
12004120622...up.ps1
windows7-x64
62004120622...up.ps1
windows10-2004-x64
62004120622...en.ps1
windows7-x64
32004120622...en.ps1
windows10-2004-x64
32004120622...er.exe
windows7-x64
102004120622...er.exe
windows10-2004-x64
102004120622...��.url
windows7-x64
12004120622...��.url
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2024, 10:18
Behavioral task
behavioral1
Sample
20041206224715280/77169.org˵.htm
Resource
win7-20240729-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
20041206224715280/77169.org˵.htm
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral3
Sample
20041206224715280/Client.dll
Resource
win7-20240708-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
20041206224715280/Client.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
20041206224715280/Client.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral6
Sample
20041206224715280/Client.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral7
Sample
20041206224715280/cgilogger/README.vbs
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
20041206224715280/cgilogger/README.vbs
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
20041206224715280/cgilogger/setup.ps1
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral10
Sample
20041206224715280/cgilogger/setup.ps1
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral11
Sample
20041206224715280/cgilogger/subseven.ps1
Resource
win7-20241023-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral12
Sample
20041206224715280/cgilogger/subseven.ps1
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral13
Sample
20041206224715280/server.exe
Resource
win7-20240729-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral14
Sample
20041206224715280/server.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral15
Sample
20041206224715280/ĺڿͬ.url
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral16
Sample
20041206224715280/ĺڿͬ.url
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
20041206224715280/server.exe
-
Size
217KB
-
MD5
b085280cbbf3d0fd3a5464baeefa1ead
-
SHA1
27ac1205e90a4a5036cbd776dbd16fc1b6857b8f
-
SHA256
676cc781d63343a5511666f88409822d87fee0f5680b4d9281527cd67aed1983
-
SHA512
b90715c6cbcf2070ebbebe04026a724230f7a2c69504e3a716ae01e9e541bf9450d75145cdbeff1c7b51ab22b4d05ea86303af779b226671724d99a1f18587e2
-
SSDEEP
6144:dteS9JWLN2dAlHz+kjuPyD6takN0RrjBAci:/9JsIdAlHz+9fSjBAN
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 64 IoCs
resource yara_rule behavioral14/files/0x000c000000023b20-2.dat modiloader_stage2 behavioral14/memory/5092-4-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4532-6-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/3316-8-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/5012-10-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2940-12-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/3340-14-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2728-16-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/428-18-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/540-21-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1096-22-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1776-24-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4912-26-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1672-28-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2536-30-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2440-32-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1612-34-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2808-36-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4596-38-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/3984-40-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4484-42-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2992-44-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2756-46-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4316-48-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1724-50-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1804-52-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/3908-54-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4052-56-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4468-58-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/3260-60-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2388-62-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/5072-64-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2736-66-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1324-68-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2016-70-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/3872-72-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/3132-74-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/3952-76-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2372-78-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1508-80-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4856-82-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2436-84-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4392-86-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1244-88-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4920-90-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/336-92-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2812-94-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1512-96-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1380-98-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1420-100-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2860-102-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/3684-104-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2696-106-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/376-108-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2564-110-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2036-112-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2172-114-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2648-116-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1132-118-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/2872-120-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/1596-122-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4424-124-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/4456-126-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral14/memory/964-128-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 -
Executes dropped EXE 64 IoCs
pid Process 4532 regscanr.exe 3316 regscanr.exe 5012 regscanr.exe 2940 regscanr.exe 3340 regscanr.exe 2728 regscanr.exe 428 regscanr.exe 540 regscanr.exe 1096 regscanr.exe 1776 regscanr.exe 4912 regscanr.exe 1672 regscanr.exe 2536 regscanr.exe 2440 regscanr.exe 1612 regscanr.exe 2808 regscanr.exe 4596 regscanr.exe 3984 regscanr.exe 4484 regscanr.exe 2992 regscanr.exe 2756 regscanr.exe 4316 regscanr.exe 1724 regscanr.exe 1804 regscanr.exe 3908 regscanr.exe 4052 regscanr.exe 4468 regscanr.exe 3260 regscanr.exe 2388 regscanr.exe 5072 regscanr.exe 2736 regscanr.exe 1324 regscanr.exe 2016 regscanr.exe 3872 regscanr.exe 3132 regscanr.exe 3952 regscanr.exe 2372 regscanr.exe 1508 regscanr.exe 4856 regscanr.exe 2436 regscanr.exe 4392 regscanr.exe 1244 regscanr.exe 4920 regscanr.exe 336 regscanr.exe 2812 regscanr.exe 1512 regscanr.exe 1380 regscanr.exe 1420 regscanr.exe 2860 regscanr.exe 3684 regscanr.exe 2696 regscanr.exe 376 regscanr.exe 2564 regscanr.exe 2036 regscanr.exe 2172 regscanr.exe 2648 regscanr.exe 1132 regscanr.exe 2872 regscanr.exe 1596 regscanr.exe 4424 regscanr.exe 4456 regscanr.exe 964 regscanr.exe 3256 regscanr.exe 3456 regscanr.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Registry Scanner = "C:\\Windows\\system32\\regscanr.exe" regscanr.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe regscanr.exe File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found File created C:\Windows\SysWOW64\regscanr.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regscanr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5092 server.exe 5092 server.exe 5092 server.exe 5092 server.exe 4532 regscanr.exe 4532 regscanr.exe 4532 regscanr.exe 4532 regscanr.exe 3316 regscanr.exe 3316 regscanr.exe 3316 regscanr.exe 3316 regscanr.exe 5012 regscanr.exe 5012 regscanr.exe 5012 regscanr.exe 5012 regscanr.exe 2940 regscanr.exe 2940 regscanr.exe 2940 regscanr.exe 2940 regscanr.exe 3340 regscanr.exe 3340 regscanr.exe 3340 regscanr.exe 3340 regscanr.exe 2728 regscanr.exe 2728 regscanr.exe 2728 regscanr.exe 2728 regscanr.exe 428 regscanr.exe 428 regscanr.exe 428 regscanr.exe 428 regscanr.exe 540 regscanr.exe 540 regscanr.exe 540 regscanr.exe 540 regscanr.exe 1096 regscanr.exe 1096 regscanr.exe 1096 regscanr.exe 1096 regscanr.exe 1776 regscanr.exe 1776 regscanr.exe 1776 regscanr.exe 1776 regscanr.exe 4912 regscanr.exe 4912 regscanr.exe 4912 regscanr.exe 4912 regscanr.exe 1672 regscanr.exe 1672 regscanr.exe 1672 regscanr.exe 1672 regscanr.exe 2536 regscanr.exe 2536 regscanr.exe 2536 regscanr.exe 2536 regscanr.exe 2440 regscanr.exe 2440 regscanr.exe 2440 regscanr.exe 2440 regscanr.exe 1612 regscanr.exe 1612 regscanr.exe 1612 regscanr.exe 1612 regscanr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5092 server.exe Token: SeDebugPrivilege 5092 server.exe Token: SeDebugPrivilege 4532 regscanr.exe Token: SeDebugPrivilege 4532 regscanr.exe Token: SeDebugPrivilege 3316 regscanr.exe Token: SeDebugPrivilege 3316 regscanr.exe Token: SeDebugPrivilege 5012 regscanr.exe Token: SeDebugPrivilege 5012 regscanr.exe Token: SeDebugPrivilege 2940 regscanr.exe Token: SeDebugPrivilege 2940 regscanr.exe Token: SeDebugPrivilege 3340 regscanr.exe Token: SeDebugPrivilege 3340 regscanr.exe Token: SeDebugPrivilege 2728 regscanr.exe Token: SeDebugPrivilege 2728 regscanr.exe Token: SeDebugPrivilege 428 regscanr.exe Token: SeDebugPrivilege 428 regscanr.exe Token: SeDebugPrivilege 540 regscanr.exe Token: SeDebugPrivilege 540 regscanr.exe Token: SeDebugPrivilege 1096 regscanr.exe Token: SeDebugPrivilege 1096 regscanr.exe Token: SeDebugPrivilege 1776 regscanr.exe Token: SeDebugPrivilege 1776 regscanr.exe Token: SeDebugPrivilege 4912 regscanr.exe Token: SeDebugPrivilege 4912 regscanr.exe Token: SeDebugPrivilege 1672 regscanr.exe Token: SeDebugPrivilege 1672 regscanr.exe Token: SeDebugPrivilege 2536 regscanr.exe Token: SeDebugPrivilege 2536 regscanr.exe Token: SeDebugPrivilege 2440 regscanr.exe Token: SeDebugPrivilege 2440 regscanr.exe Token: SeDebugPrivilege 1612 regscanr.exe Token: SeDebugPrivilege 1612 regscanr.exe Token: SeDebugPrivilege 2808 regscanr.exe Token: SeDebugPrivilege 2808 regscanr.exe Token: SeDebugPrivilege 4596 regscanr.exe Token: SeDebugPrivilege 4596 regscanr.exe Token: SeDebugPrivilege 3984 regscanr.exe Token: SeDebugPrivilege 3984 regscanr.exe Token: SeDebugPrivilege 4484 regscanr.exe Token: SeDebugPrivilege 4484 regscanr.exe Token: SeDebugPrivilege 2992 regscanr.exe Token: SeDebugPrivilege 2992 regscanr.exe Token: SeDebugPrivilege 2756 regscanr.exe Token: SeDebugPrivilege 2756 regscanr.exe Token: SeDebugPrivilege 4316 regscanr.exe Token: SeDebugPrivilege 4316 regscanr.exe Token: SeDebugPrivilege 1724 regscanr.exe Token: SeDebugPrivilege 1724 regscanr.exe Token: SeDebugPrivilege 1804 regscanr.exe Token: SeDebugPrivilege 1804 regscanr.exe Token: SeDebugPrivilege 3908 regscanr.exe Token: SeDebugPrivilege 3908 regscanr.exe Token: SeDebugPrivilege 4052 regscanr.exe Token: SeDebugPrivilege 4052 regscanr.exe Token: SeDebugPrivilege 4468 regscanr.exe Token: SeDebugPrivilege 4468 regscanr.exe Token: SeDebugPrivilege 3260 regscanr.exe Token: SeDebugPrivilege 3260 regscanr.exe Token: SeDebugPrivilege 2388 regscanr.exe Token: SeDebugPrivilege 2388 regscanr.exe Token: SeDebugPrivilege 5072 regscanr.exe Token: SeDebugPrivilege 5072 regscanr.exe Token: SeDebugPrivilege 2736 regscanr.exe Token: SeDebugPrivilege 2736 regscanr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5092 wrote to memory of 4532 5092 server.exe 83 PID 5092 wrote to memory of 4532 5092 server.exe 83 PID 5092 wrote to memory of 4532 5092 server.exe 83 PID 4532 wrote to memory of 3316 4532 regscanr.exe 84 PID 4532 wrote to memory of 3316 4532 regscanr.exe 84 PID 4532 wrote to memory of 3316 4532 regscanr.exe 84 PID 3316 wrote to memory of 5012 3316 regscanr.exe 85 PID 3316 wrote to memory of 5012 3316 regscanr.exe 85 PID 3316 wrote to memory of 5012 3316 regscanr.exe 85 PID 5012 wrote to memory of 2940 5012 regscanr.exe 86 PID 5012 wrote to memory of 2940 5012 regscanr.exe 86 PID 5012 wrote to memory of 2940 5012 regscanr.exe 86 PID 2940 wrote to memory of 3340 2940 regscanr.exe 87 PID 2940 wrote to memory of 3340 2940 regscanr.exe 87 PID 2940 wrote to memory of 3340 2940 regscanr.exe 87 PID 3340 wrote to memory of 2728 3340 regscanr.exe 88 PID 3340 wrote to memory of 2728 3340 regscanr.exe 88 PID 3340 wrote to memory of 2728 3340 regscanr.exe 88 PID 2728 wrote to memory of 428 2728 regscanr.exe 89 PID 2728 wrote to memory of 428 2728 regscanr.exe 89 PID 2728 wrote to memory of 428 2728 regscanr.exe 89 PID 428 wrote to memory of 540 428 regscanr.exe 90 PID 428 wrote to memory of 540 428 regscanr.exe 90 PID 428 wrote to memory of 540 428 regscanr.exe 90 PID 540 wrote to memory of 1096 540 regscanr.exe 91 PID 540 wrote to memory of 1096 540 regscanr.exe 91 PID 540 wrote to memory of 1096 540 regscanr.exe 91 PID 1096 wrote to memory of 1776 1096 regscanr.exe 92 PID 1096 wrote to memory of 1776 1096 regscanr.exe 92 PID 1096 wrote to memory of 1776 1096 regscanr.exe 92 PID 1776 wrote to memory of 4912 1776 regscanr.exe 93 PID 1776 wrote to memory of 4912 1776 regscanr.exe 93 PID 1776 wrote to memory of 4912 1776 regscanr.exe 93 PID 4912 wrote to memory of 1672 4912 regscanr.exe 94 PID 4912 wrote to memory of 1672 4912 regscanr.exe 94 PID 4912 wrote to memory of 1672 4912 regscanr.exe 94 PID 1672 wrote to memory of 2536 1672 regscanr.exe 95 PID 1672 wrote to memory of 2536 1672 regscanr.exe 95 PID 1672 wrote to memory of 2536 1672 regscanr.exe 95 PID 2536 wrote to memory of 2440 2536 regscanr.exe 96 PID 2536 wrote to memory of 2440 2536 regscanr.exe 96 PID 2536 wrote to memory of 2440 2536 regscanr.exe 96 PID 2440 wrote to memory of 1612 2440 regscanr.exe 97 PID 2440 wrote to memory of 1612 2440 regscanr.exe 97 PID 2440 wrote to memory of 1612 2440 regscanr.exe 97 PID 1612 wrote to memory of 2808 1612 regscanr.exe 98 PID 1612 wrote to memory of 2808 1612 regscanr.exe 98 PID 1612 wrote to memory of 2808 1612 regscanr.exe 98 PID 2808 wrote to memory of 4596 2808 regscanr.exe 99 PID 2808 wrote to memory of 4596 2808 regscanr.exe 99 PID 2808 wrote to memory of 4596 2808 regscanr.exe 99 PID 4596 wrote to memory of 3984 4596 regscanr.exe 100 PID 4596 wrote to memory of 3984 4596 regscanr.exe 100 PID 4596 wrote to memory of 3984 4596 regscanr.exe 100 PID 3984 wrote to memory of 4484 3984 regscanr.exe 101 PID 3984 wrote to memory of 4484 3984 regscanr.exe 101 PID 3984 wrote to memory of 4484 3984 regscanr.exe 101 PID 4484 wrote to memory of 2992 4484 regscanr.exe 102 PID 4484 wrote to memory of 2992 4484 regscanr.exe 102 PID 4484 wrote to memory of 2992 4484 regscanr.exe 102 PID 2992 wrote to memory of 2756 2992 regscanr.exe 103 PID 2992 wrote to memory of 2756 2992 regscanr.exe 103 PID 2992 wrote to memory of 2756 2992 regscanr.exe 103 PID 2756 wrote to memory of 4316 2756 regscanr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\20041206224715280\server.exe"C:\Users\Admin\AppData\Local\Temp\20041206224715280\server.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe33⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe34⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe35⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe36⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe37⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe38⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe39⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe40⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe41⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe42⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe43⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe44⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe45⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe46⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe47⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe48⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe49⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe50⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe51⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe52⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe53⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe54⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe56⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe57⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2648 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe58⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe59⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe60⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe61⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe62⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe64⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe65⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe66⤵PID:4768
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe67⤵PID:4832
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe68⤵PID:4228
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe69⤵PID:1860
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe70⤵PID:1672
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe71⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe72⤵PID:3904
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe73⤵PID:4664
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe74⤵PID:3876
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe75⤵PID:2104
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe76⤵PID:2944
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe77⤵PID:1368
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe78⤵PID:1416
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe79⤵PID:2228
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe80⤵PID:2072
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe81⤵PID:3264
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe82⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe83⤵PID:4984
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe84⤵PID:720
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe85⤵PID:2244
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe86⤵PID:2524
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe87⤵PID:3368
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe88⤵PID:4468
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe89⤵PID:2088
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe90⤵PID:4124
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe91⤵PID:1320
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe92⤵PID:1180
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe93⤵PID:3448
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe94⤵PID:5088
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe95⤵PID:3060
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe96⤵PID:992
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe97⤵PID:3132
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe98⤵PID:1012
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe99⤵PID:5036
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe100⤵PID:4780
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe101⤵PID:5116
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe102⤵PID:3672
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe103⤵PID:5044
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe104⤵PID:4496
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe105⤵PID:1440
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe106⤵PID:572
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe107⤵PID:1400
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe108⤵PID:336
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe109⤵PID:2812
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe110⤵PID:2164
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe111⤵PID:2520
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe112⤵PID:732
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe113⤵PID:3380
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe114⤵PID:1120
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe115⤵PID:4260
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe116⤵PID:3868
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe117⤵PID:3612
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe118⤵PID:1836
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe119⤵PID:3488
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe120⤵PID:628
-
C:\Windows\SysWOW64\regscanr.exeC:\Windows\system32\regscanr.exe121⤵PID:1080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-