Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 09:32
Behavioral task
behavioral1
Sample
e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50.exe
Resource
win7-20220812-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50.exe
-
Size
595KB
-
MD5
1dedd2af7af8b129ba56e995dbd712c3
-
SHA1
806cefe6389700176a5678ed70ebaad9ab5cd578
-
SHA256
e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50
-
SHA512
8883ac642dc751b7b83f5960b5a1ea5b75f90647fcaa502ba34ea9af7f230ed6f6f09bb7dc199447d487c907c90c53772e2af562ccb7d1cad69c2afa2b02702b
-
SSDEEP
12288:AKLn8V3EGAJi/lKSGWkxkbX1voWOAfWjhuzBMD4jTrS:AKA30uKSHk9A+jlWO
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 55 IoCs
resource yara_rule behavioral1/memory/616-61-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/616-67-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1624-73-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/792-79-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1320-87-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1576-93-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1964-99-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1888-100-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1888-106-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1656-112-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1900-114-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1900-121-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/468-128-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/556-129-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/556-135-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1492-144-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/808-149-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1308-156-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/960-157-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/960-163-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1368-169-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1628-172-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/968-173-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/968-176-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1736-179-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1440-182-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1672-186-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1688-189-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1140-192-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1780-193-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1780-196-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1720-199-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/2004-202-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/2040-205-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1940-206-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1940-209-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/560-212-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1476-215-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/684-216-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/684-219-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1316-222-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1696-225-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1604-226-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1604-229-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/796-232-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1164-235-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1752-238-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1756-242-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1084-245-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1564-246-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1564-249-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1404-252-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/2016-255-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/1572-259-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 behavioral1/memory/304-262-0x0000000000400000-0x00000000004CD000-memory.dmp modiloader_stage2 -
Executes dropped EXE 64 IoCs
pid Process 616 Program.EXE 1624 vssms32.exe 792 vssms32.exe 1320 vssms32.exe 1576 vssms32.exe 1964 vssms32.exe 1888 vssms32.exe 1656 vssms32.exe 1900 vssms32.exe 468 vssms32.exe 556 vssms32.exe 1492 vssms32.exe 808 vssms32.exe 1308 vssms32.exe 960 vssms32.exe 1368 vssms32.exe 1628 vssms32.exe 968 vssms32.exe 1736 vssms32.exe 1440 vssms32.exe 1672 vssms32.exe 1688 vssms32.exe 1140 vssms32.exe 1780 vssms32.exe 1720 vssms32.exe 2004 vssms32.exe 2040 vssms32.exe 1940 vssms32.exe 560 vssms32.exe 1476 vssms32.exe 684 vssms32.exe 1316 vssms32.exe 1696 vssms32.exe 1604 vssms32.exe 796 vssms32.exe 1164 vssms32.exe 1752 vssms32.exe 1756 vssms32.exe 1084 vssms32.exe 1564 vssms32.exe 1404 vssms32.exe 2016 vssms32.exe 1572 vssms32.exe 304 vssms32.exe 1100 vssms32.exe 1364 vssms32.exe 1612 vssms32.exe 852 vssms32.exe 788 vssms32.exe 1296 vssms32.exe 884 vssms32.exe 1976 vssms32.exe 1356 vssms32.exe 1352 vssms32.exe 1772 vssms32.exe 1360 vssms32.exe 1032 vssms32.exe 1484 vssms32.exe 1568 vssms32.exe 1508 vssms32.exe 1544 vssms32.exe 1820 vssms32.exe 836 vssms32.exe 1340 vssms32.exe -
resource yara_rule behavioral1/files/0x000c0000000054a8-56.dat upx behavioral1/files/0x000c0000000054a8-59.dat upx behavioral1/memory/1536-60-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/616-61-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-63.dat upx behavioral1/files/0x000800000001339d-62.dat upx behavioral1/files/0x000800000001339d-65.dat upx behavioral1/memory/616-67-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-68.dat upx behavioral1/files/0x000800000001339d-70.dat upx behavioral1/files/0x000800000001339d-69.dat upx behavioral1/files/0x000800000001339d-72.dat upx behavioral1/memory/1624-73-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-75.dat upx behavioral1/files/0x000800000001339d-76.dat upx behavioral1/files/0x000800000001339d-80.dat upx behavioral1/memory/792-79-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-83.dat upx behavioral1/files/0x000800000001339d-82.dat upx behavioral1/files/0x000800000001339d-85.dat upx behavioral1/memory/1320-87-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-88.dat upx behavioral1/files/0x000800000001339d-89.dat upx behavioral1/files/0x000800000001339d-91.dat upx behavioral1/memory/1576-93-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-94.dat upx behavioral1/files/0x000800000001339d-95.dat upx behavioral1/files/0x000800000001339d-97.dat upx behavioral1/memory/1964-99-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/1888-100-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-101.dat upx behavioral1/files/0x000800000001339d-104.dat upx behavioral1/memory/1888-106-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-102.dat upx behavioral1/files/0x000800000001339d-107.dat upx behavioral1/files/0x000800000001339d-108.dat upx behavioral1/files/0x000800000001339d-110.dat upx behavioral1/memory/1656-112-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/1900-114-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-115.dat upx behavioral1/files/0x000800000001339d-116.dat upx behavioral1/files/0x000800000001339d-118.dat upx behavioral1/memory/468-120-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/1900-121-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-124.dat upx behavioral1/files/0x000800000001339d-126.dat upx behavioral1/files/0x000800000001339d-123.dat upx behavioral1/memory/468-128-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/556-129-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-130.dat upx behavioral1/files/0x000800000001339d-131.dat upx behavioral1/files/0x000800000001339d-133.dat upx behavioral1/memory/556-135-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/1492-137-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-139.dat upx behavioral1/files/0x000800000001339d-140.dat upx behavioral1/files/0x000800000001339d-142.dat upx behavioral1/memory/1492-144-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-146.dat upx behavioral1/files/0x000800000001339d-145.dat upx behavioral1/memory/808-149-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/files/0x000800000001339d-148.dat upx behavioral1/files/0x000800000001339d-151.dat upx behavioral1/files/0x000800000001339d-152.dat upx -
Loads dropped DLL 64 IoCs
pid Process 616 Program.EXE 616 Program.EXE 1624 vssms32.exe 1624 vssms32.exe 792 vssms32.exe 792 vssms32.exe 1320 vssms32.exe 1320 vssms32.exe 1576 vssms32.exe 1576 vssms32.exe 1964 vssms32.exe 1964 vssms32.exe 1888 vssms32.exe 1888 vssms32.exe 1656 vssms32.exe 1656 vssms32.exe 1900 vssms32.exe 1900 vssms32.exe 468 vssms32.exe 468 vssms32.exe 556 vssms32.exe 556 vssms32.exe 1492 vssms32.exe 1492 vssms32.exe 808 vssms32.exe 808 vssms32.exe 1308 vssms32.exe 1308 vssms32.exe 960 vssms32.exe 960 vssms32.exe 1368 vssms32.exe 1368 vssms32.exe 1628 vssms32.exe 1628 vssms32.exe 968 vssms32.exe 968 vssms32.exe 1736 vssms32.exe 1736 vssms32.exe 1440 vssms32.exe 1440 vssms32.exe 1672 vssms32.exe 1672 vssms32.exe 1688 vssms32.exe 1688 vssms32.exe 1140 vssms32.exe 1140 vssms32.exe 1780 vssms32.exe 1780 vssms32.exe 1720 vssms32.exe 1720 vssms32.exe 2004 vssms32.exe 2004 vssms32.exe 2040 vssms32.exe 2040 vssms32.exe 1940 vssms32.exe 1940 vssms32.exe 560 vssms32.exe 560 vssms32.exe 1476 vssms32.exe 1476 vssms32.exe 684 vssms32.exe 684 vssms32.exe 1316 vssms32.exe 1316 vssms32.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Program.EXE e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50.exe File created C:\Windows\Program.JPG e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50.exe File opened for modification C:\Windows\Program.JPG DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1312 DllHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1536 wrote to memory of 616 1536 e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50.exe 27 PID 1536 wrote to memory of 616 1536 e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50.exe 27 PID 1536 wrote to memory of 616 1536 e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50.exe 27 PID 1536 wrote to memory of 616 1536 e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50.exe 27 PID 616 wrote to memory of 1624 616 Program.EXE 29 PID 616 wrote to memory of 1624 616 Program.EXE 29 PID 616 wrote to memory of 1624 616 Program.EXE 29 PID 616 wrote to memory of 1624 616 Program.EXE 29 PID 1624 wrote to memory of 792 1624 vssms32.exe 30 PID 1624 wrote to memory of 792 1624 vssms32.exe 30 PID 1624 wrote to memory of 792 1624 vssms32.exe 30 PID 1624 wrote to memory of 792 1624 vssms32.exe 30 PID 792 wrote to memory of 1320 792 vssms32.exe 31 PID 792 wrote to memory of 1320 792 vssms32.exe 31 PID 792 wrote to memory of 1320 792 vssms32.exe 31 PID 792 wrote to memory of 1320 792 vssms32.exe 31 PID 1320 wrote to memory of 1576 1320 vssms32.exe 32 PID 1320 wrote to memory of 1576 1320 vssms32.exe 32 PID 1320 wrote to memory of 1576 1320 vssms32.exe 32 PID 1320 wrote to memory of 1576 1320 vssms32.exe 32 PID 1576 wrote to memory of 1964 1576 vssms32.exe 33 PID 1576 wrote to memory of 1964 1576 vssms32.exe 33 PID 1576 wrote to memory of 1964 1576 vssms32.exe 33 PID 1576 wrote to memory of 1964 1576 vssms32.exe 33 PID 1964 wrote to memory of 1888 1964 vssms32.exe 34 PID 1964 wrote to memory of 1888 1964 vssms32.exe 34 PID 1964 wrote to memory of 1888 1964 vssms32.exe 34 PID 1964 wrote to memory of 1888 1964 vssms32.exe 34 PID 1888 wrote to memory of 1656 1888 vssms32.exe 35 PID 1888 wrote to memory of 1656 1888 vssms32.exe 35 PID 1888 wrote to memory of 1656 1888 vssms32.exe 35 PID 1888 wrote to memory of 1656 1888 vssms32.exe 35 PID 1656 wrote to memory of 1900 1656 vssms32.exe 36 PID 1656 wrote to memory of 1900 1656 vssms32.exe 36 PID 1656 wrote to memory of 1900 1656 vssms32.exe 36 PID 1656 wrote to memory of 1900 1656 vssms32.exe 36 PID 1900 wrote to memory of 468 1900 vssms32.exe 37 PID 1900 wrote to memory of 468 1900 vssms32.exe 37 PID 1900 wrote to memory of 468 1900 vssms32.exe 37 PID 1900 wrote to memory of 468 1900 vssms32.exe 37 PID 468 wrote to memory of 556 468 vssms32.exe 38 PID 468 wrote to memory of 556 468 vssms32.exe 38 PID 468 wrote to memory of 556 468 vssms32.exe 38 PID 468 wrote to memory of 556 468 vssms32.exe 38 PID 556 wrote to memory of 1492 556 vssms32.exe 40 PID 556 wrote to memory of 1492 556 vssms32.exe 40 PID 556 wrote to memory of 1492 556 vssms32.exe 40 PID 556 wrote to memory of 1492 556 vssms32.exe 40 PID 1492 wrote to memory of 808 1492 vssms32.exe 41 PID 1492 wrote to memory of 808 1492 vssms32.exe 41 PID 1492 wrote to memory of 808 1492 vssms32.exe 41 PID 1492 wrote to memory of 808 1492 vssms32.exe 41 PID 808 wrote to memory of 1308 808 vssms32.exe 42 PID 808 wrote to memory of 1308 808 vssms32.exe 42 PID 808 wrote to memory of 1308 808 vssms32.exe 42 PID 808 wrote to memory of 1308 808 vssms32.exe 42 PID 1308 wrote to memory of 960 1308 vssms32.exe 43 PID 1308 wrote to memory of 960 1308 vssms32.exe 43 PID 1308 wrote to memory of 960 1308 vssms32.exe 43 PID 1308 wrote to memory of 960 1308 vssms32.exe 43 PID 960 wrote to memory of 1368 960 vssms32.exe 44 PID 960 wrote to memory of 1368 960 vssms32.exe 44 PID 960 wrote to memory of 1368 960 vssms32.exe 44 PID 960 wrote to memory of 1368 960 vssms32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50.exe"C:\Users\Admin\AppData\Local\Temp\e17cceeae666be272ca3e727aca6db612649c3e16686209f46c5259f06930b50.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\Program.EXE"C:\Windows\Program.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"36⤵
- Executes dropped EXE
- Adds Run key to start application
PID:796 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"37⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"38⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1752 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1756 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"40⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"42⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1404 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"44⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"45⤵
- Executes dropped EXE
- Adds Run key to start application
PID:304 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"47⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1364 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"50⤵
- Executes dropped EXE
- Adds Run key to start application
PID:788 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"51⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"53⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1976 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"54⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"55⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"56⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"57⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1360 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"58⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"59⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1484 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"60⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"61⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1820 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"64⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"65⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"66⤵PID:1876
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"67⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:364 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"68⤵PID:2020
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"69⤵
- Adds Run key to start application
PID:1216 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"70⤵PID:280
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"71⤵PID:1724
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"72⤵
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"73⤵PID:624
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"74⤵
- Adds Run key to start application
PID:108 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"75⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"76⤵PID:520
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"77⤵PID:1892
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"78⤵PID:1896
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"79⤵
- Adds Run key to start application
PID:1092 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"80⤵PID:296
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"81⤵PID:1148
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"82⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"83⤵PID:1740
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"84⤵PID:996
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"85⤵PID:284
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"86⤵PID:972
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"87⤵PID:1064
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"88⤵PID:1028
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"89⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"90⤵PID:924
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"91⤵PID:1096
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"92⤵PID:1596
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"93⤵
- Adds Run key to start application
PID:552 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"94⤵
- Adds Run key to start application
PID:284 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"95⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"96⤵
- Adds Run key to start application
PID:1204 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"97⤵PID:1192
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"98⤵PID:1188
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"99⤵PID:568
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"100⤵PID:524
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"101⤵PID:1248
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"102⤵PID:1908
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"103⤵PID:920
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"104⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"105⤵PID:980
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"106⤵PID:1600
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"107⤵PID:1144
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"108⤵PID:956
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"109⤵
- Adds Run key to start application
PID:1648 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"110⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"111⤵PID:892
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"112⤵PID:2032
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"113⤵PID:660
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"114⤵
- Adds Run key to start application
PID:1408 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"115⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"116⤵PID:864
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"117⤵PID:268
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"118⤵PID:1980
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"119⤵PID:1240
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"120⤵
- Adds Run key to start application
PID:1632 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"121⤵
- Adds Run key to start application
PID:1744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-