Analysis
-
max time kernel
68s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 07:45
Behavioral task
behavioral1
Sample
1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe
-
Size
730KB
-
MD5
1fedfc97d52dc13ed6cebde7519bf7a8
-
SHA1
a5586c63c2e4eb65ce4c3f1a3070e7e01fbba470
-
SHA256
4851611ebb2a33698be0ed454cbaf495d86925ef472c6cdc5b799e259c573b3c
-
SHA512
aa67f72731ff7045ae899d4ba2cf861149c8524c92e38de2eee0bb707745a87bff6a0c7210abdf3a3ebfb49e3d34edec4588f3ba167368c8a8b64a311aaa829e
-
SSDEEP
12288:Y9nTQAiVtuiwlF4w+dGnS0LzPgm8cryDYTS7b9ihfJEdp86nH3UqCILs9:Y9nNMmlyeS0LzgsryuS7b9ihz6Ox
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\vssms32.exe modiloader_stage2 behavioral1/memory/2104-11-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1188-16-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2444-20-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2732-24-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2552-28-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2508-32-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2060-36-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2924-39-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/3008-44-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2424-47-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1192-52-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2696-56-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2832-60-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/860-64-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2112-68-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2404-72-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2092-73-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/704-74-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2172-75-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2392-76-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2396-77-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2884-78-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1544-79-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1304-80-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/900-81-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1588-82-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1940-83-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2288-84-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/876-85-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2012-86-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1244-87-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/908-88-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2584-89-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2852-90-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2444-91-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2776-92-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2500-93-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1032-94-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2508-95-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1508-96-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2476-97-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1868-98-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1932-99-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1916-100-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/628-101-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1192-102-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2808-103-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1084-104-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1760-105-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1276-106-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/336-107-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1452-108-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1040-109-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1636-110-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1804-111-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1124-112-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/3016-113-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1380-114-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/2276-115-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1340-116-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1304-117-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/900-118-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral1/memory/1164-119-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 -
Executes dropped EXE 64 IoCs
Processes:
vssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exepid process 1188 vssms32.exe 2444 vssms32.exe 2732 vssms32.exe 2552 vssms32.exe 2508 vssms32.exe 2060 vssms32.exe 2924 vssms32.exe 3008 vssms32.exe 2424 vssms32.exe 1192 vssms32.exe 2696 vssms32.exe 2832 vssms32.exe 860 vssms32.exe 2112 vssms32.exe 2404 vssms32.exe 2092 vssms32.exe 704 vssms32.exe 2172 vssms32.exe 2392 vssms32.exe 2396 vssms32.exe 2884 vssms32.exe 1544 vssms32.exe 1304 vssms32.exe 900 vssms32.exe 1588 vssms32.exe 1940 vssms32.exe 2288 vssms32.exe 876 vssms32.exe 2012 vssms32.exe 1244 vssms32.exe 908 vssms32.exe 2584 vssms32.exe 2852 vssms32.exe 2444 vssms32.exe 2776 vssms32.exe 2500 vssms32.exe 1032 vssms32.exe 2508 vssms32.exe 1508 vssms32.exe 2476 vssms32.exe 1868 vssms32.exe 1932 vssms32.exe 1916 vssms32.exe 628 vssms32.exe 1192 vssms32.exe 2808 vssms32.exe 1084 vssms32.exe 1760 vssms32.exe 1276 vssms32.exe 336 vssms32.exe 1452 vssms32.exe 1040 vssms32.exe 1636 vssms32.exe 1804 vssms32.exe 1124 vssms32.exe 3016 vssms32.exe 1380 vssms32.exe 2276 vssms32.exe 1340 vssms32.exe 1304 vssms32.exe 900 vssms32.exe 1164 vssms32.exe 1500 vssms32.exe 2288 vssms32.exe -
Loads dropped DLL 64 IoCs
Processes:
1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exepid process 2104 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe 2104 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe 1188 vssms32.exe 1188 vssms32.exe 2444 vssms32.exe 2444 vssms32.exe 2732 vssms32.exe 2732 vssms32.exe 2552 vssms32.exe 2552 vssms32.exe 2508 vssms32.exe 2508 vssms32.exe 2060 vssms32.exe 2060 vssms32.exe 2924 vssms32.exe 2924 vssms32.exe 3008 vssms32.exe 3008 vssms32.exe 2424 vssms32.exe 2424 vssms32.exe 1192 vssms32.exe 1192 vssms32.exe 2696 vssms32.exe 2696 vssms32.exe 2832 vssms32.exe 2832 vssms32.exe 860 vssms32.exe 860 vssms32.exe 2112 vssms32.exe 2112 vssms32.exe 2404 vssms32.exe 2404 vssms32.exe 2092 vssms32.exe 2092 vssms32.exe 704 vssms32.exe 704 vssms32.exe 2172 vssms32.exe 2172 vssms32.exe 2392 vssms32.exe 2392 vssms32.exe 2396 vssms32.exe 2396 vssms32.exe 2884 vssms32.exe 2884 vssms32.exe 1544 vssms32.exe 1544 vssms32.exe 1304 vssms32.exe 1304 vssms32.exe 900 vssms32.exe 900 vssms32.exe 1588 vssms32.exe 1588 vssms32.exe 1940 vssms32.exe 1940 vssms32.exe 2288 vssms32.exe 2288 vssms32.exe 876 vssms32.exe 876 vssms32.exe 2012 vssms32.exe 2012 vssms32.exe 1244 vssms32.exe 1244 vssms32.exe 908 vssms32.exe 908 vssms32.exe -
Adds Run key to start application 2 TTPs 64 IoCs
Processes:
vssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe -
Drops file in System32 directory 64 IoCs
Processes:
vssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exe1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exedescription ioc process File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exedescription pid process target process PID 2104 wrote to memory of 1188 2104 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe vssms32.exe PID 2104 wrote to memory of 1188 2104 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe vssms32.exe PID 2104 wrote to memory of 1188 2104 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe vssms32.exe PID 2104 wrote to memory of 1188 2104 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe vssms32.exe PID 1188 wrote to memory of 2444 1188 vssms32.exe vssms32.exe PID 1188 wrote to memory of 2444 1188 vssms32.exe vssms32.exe PID 1188 wrote to memory of 2444 1188 vssms32.exe vssms32.exe PID 1188 wrote to memory of 2444 1188 vssms32.exe vssms32.exe PID 2444 wrote to memory of 2732 2444 vssms32.exe vssms32.exe PID 2444 wrote to memory of 2732 2444 vssms32.exe vssms32.exe PID 2444 wrote to memory of 2732 2444 vssms32.exe vssms32.exe PID 2444 wrote to memory of 2732 2444 vssms32.exe vssms32.exe PID 2732 wrote to memory of 2552 2732 vssms32.exe vssms32.exe PID 2732 wrote to memory of 2552 2732 vssms32.exe vssms32.exe PID 2732 wrote to memory of 2552 2732 vssms32.exe vssms32.exe PID 2732 wrote to memory of 2552 2732 vssms32.exe vssms32.exe PID 2552 wrote to memory of 2508 2552 vssms32.exe vssms32.exe PID 2552 wrote to memory of 2508 2552 vssms32.exe vssms32.exe PID 2552 wrote to memory of 2508 2552 vssms32.exe vssms32.exe PID 2552 wrote to memory of 2508 2552 vssms32.exe vssms32.exe PID 2508 wrote to memory of 2060 2508 vssms32.exe vssms32.exe PID 2508 wrote to memory of 2060 2508 vssms32.exe vssms32.exe PID 2508 wrote to memory of 2060 2508 vssms32.exe vssms32.exe PID 2508 wrote to memory of 2060 2508 vssms32.exe vssms32.exe PID 2060 wrote to memory of 2924 2060 vssms32.exe vssms32.exe PID 2060 wrote to memory of 2924 2060 vssms32.exe vssms32.exe PID 2060 wrote to memory of 2924 2060 vssms32.exe vssms32.exe PID 2060 wrote to memory of 2924 2060 vssms32.exe vssms32.exe PID 2924 wrote to memory of 3008 2924 vssms32.exe vssms32.exe PID 2924 wrote to memory of 3008 2924 vssms32.exe vssms32.exe PID 2924 wrote to memory of 3008 2924 vssms32.exe vssms32.exe PID 2924 wrote to memory of 3008 2924 vssms32.exe vssms32.exe PID 3008 wrote to memory of 2424 3008 vssms32.exe vssms32.exe PID 3008 wrote to memory of 2424 3008 vssms32.exe vssms32.exe PID 3008 wrote to memory of 2424 3008 vssms32.exe vssms32.exe PID 3008 wrote to memory of 2424 3008 vssms32.exe vssms32.exe PID 2424 wrote to memory of 1192 2424 vssms32.exe vssms32.exe PID 2424 wrote to memory of 1192 2424 vssms32.exe vssms32.exe PID 2424 wrote to memory of 1192 2424 vssms32.exe vssms32.exe PID 2424 wrote to memory of 1192 2424 vssms32.exe vssms32.exe PID 1192 wrote to memory of 2696 1192 vssms32.exe vssms32.exe PID 1192 wrote to memory of 2696 1192 vssms32.exe vssms32.exe PID 1192 wrote to memory of 2696 1192 vssms32.exe vssms32.exe PID 1192 wrote to memory of 2696 1192 vssms32.exe vssms32.exe PID 2696 wrote to memory of 2832 2696 vssms32.exe vssms32.exe PID 2696 wrote to memory of 2832 2696 vssms32.exe vssms32.exe PID 2696 wrote to memory of 2832 2696 vssms32.exe vssms32.exe PID 2696 wrote to memory of 2832 2696 vssms32.exe vssms32.exe PID 2832 wrote to memory of 860 2832 vssms32.exe vssms32.exe PID 2832 wrote to memory of 860 2832 vssms32.exe vssms32.exe PID 2832 wrote to memory of 860 2832 vssms32.exe vssms32.exe PID 2832 wrote to memory of 860 2832 vssms32.exe vssms32.exe PID 860 wrote to memory of 2112 860 vssms32.exe vssms32.exe PID 860 wrote to memory of 2112 860 vssms32.exe vssms32.exe PID 860 wrote to memory of 2112 860 vssms32.exe vssms32.exe PID 860 wrote to memory of 2112 860 vssms32.exe vssms32.exe PID 2112 wrote to memory of 2404 2112 vssms32.exe vssms32.exe PID 2112 wrote to memory of 2404 2112 vssms32.exe vssms32.exe PID 2112 wrote to memory of 2404 2112 vssms32.exe vssms32.exe PID 2112 wrote to memory of 2404 2112 vssms32.exe vssms32.exe PID 2404 wrote to memory of 2092 2404 vssms32.exe vssms32.exe PID 2404 wrote to memory of 2092 2404 vssms32.exe vssms32.exe PID 2404 wrote to memory of 2092 2404 vssms32.exe vssms32.exe PID 2404 wrote to memory of 2092 2404 vssms32.exe vssms32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:704 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2884 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1940 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2584 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"34⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"35⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2444 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"38⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2508 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"41⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"42⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1868 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"43⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"44⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"45⤵
- Executes dropped EXE
- Adds Run key to start application
PID:628 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"46⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"47⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2808 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"48⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1084 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"49⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"50⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"51⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"52⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"54⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"55⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1804 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"56⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"58⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"59⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"60⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"61⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1304 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"62⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1164 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"64⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"66⤵PID:876
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"67⤵PID:1720
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"68⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"69⤵PID:2664
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"70⤵PID:2584
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"71⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"72⤵PID:2604
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"73⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"74⤵
- Adds Run key to start application
PID:2440 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"75⤵PID:2956
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"76⤵PID:240
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"77⤵
- Adds Run key to start application
PID:2976 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"78⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"79⤵
- Adds Run key to start application
PID:1572 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"80⤵PID:2760
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"81⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"82⤵
- Adds Run key to start application
PID:2712 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"83⤵PID:2812
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"84⤵
- Adds Run key to start application
PID:2168 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"85⤵PID:1260
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"86⤵PID:2032
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"87⤵PID:2416
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"88⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"89⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"90⤵PID:1144
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"91⤵
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"92⤵
- Adds Run key to start application
PID:3040 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"93⤵
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"94⤵PID:2920
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"95⤵PID:1532
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"96⤵
- Adds Run key to start application
PID:944 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"97⤵PID:2536
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"98⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"99⤵
- Adds Run key to start application
PID:2220 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"100⤵
- Adds Run key to start application
PID:1664 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"101⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"102⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"103⤵PID:876
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"104⤵
- Adds Run key to start application
PID:2636 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"105⤵PID:1280
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"106⤵PID:2664
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"107⤵PID:2748
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"108⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"109⤵PID:2436
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"110⤵
- Adds Run key to start application
PID:2452 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"111⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"112⤵PID:240
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"113⤵PID:2476
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"114⤵
- Adds Run key to start application
PID:2268 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"115⤵
- Adds Run key to start application
PID:2424 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"116⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"117⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"118⤵PID:2696
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"119⤵PID:2804
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"120⤵PID:540
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"121⤵PID:2056
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"122⤵PID:2284
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"123⤵PID:1644
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"124⤵PID:704
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"125⤵
- Adds Run key to start application
PID:1816 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"126⤵PID:1856
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"127⤵PID:2148
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"128⤵
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"129⤵
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"130⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"131⤵PID:1544
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"132⤵PID:868
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"133⤵
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"134⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"135⤵PID:2184
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"136⤵
- Adds Run key to start application
PID:1256 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"137⤵
- Adds Run key to start application
PID:3020 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"138⤵PID:876
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"139⤵PID:2636
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"140⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"141⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"142⤵
- Adds Run key to start application
PID:3052 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"143⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"144⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"145⤵
- Adds Run key to start application
PID:3036 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"146⤵PID:2508
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"147⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"148⤵
- Adds Run key to start application
PID:1788 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"149⤵PID:1448
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"150⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"151⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"152⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"153⤵
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"154⤵PID:2716
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"155⤵
- Adds Run key to start application
PID:1964 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"156⤵PID:2300
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"157⤵
- Adds Run key to start application
PID:2284 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"158⤵PID:1452
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"159⤵
- Adds Run key to start application
PID:1592 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"160⤵
- Adds Run key to start application
PID:2392 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"161⤵
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"162⤵PID:300
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"163⤵
- Adds Run key to start application
PID:784 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"164⤵PID:1712
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"165⤵PID:2164
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"166⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"167⤵PID:2228
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"168⤵
- Adds Run key to start application
PID:2136 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"169⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"170⤵
- Adds Run key to start application
PID:1808 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"171⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"172⤵
- Adds Run key to start application
PID:3020 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"173⤵PID:1188
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"174⤵PID:2820
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"175⤵PID:2664
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"176⤵
- Adds Run key to start application
PID:2688 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"177⤵
- Adds Run key to start application
PID:1000 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"178⤵
- Adds Run key to start application
PID:2560 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"179⤵
- Adds Run key to start application
PID:2652 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"180⤵PID:2272
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"181⤵
- Adds Run key to start application
PID:240 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"182⤵PID:1932
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"183⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"184⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"185⤵PID:1704
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"186⤵PID:1312
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"187⤵
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"188⤵PID:2248
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"189⤵PID:1652
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"190⤵PID:1740
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"191⤵PID:2872
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"192⤵PID:588
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"193⤵PID:1644
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"194⤵PID:1592
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"195⤵PID:2392
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"196⤵PID:3040
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"197⤵PID:328
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"198⤵PID:1368
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"199⤵PID:1300
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"200⤵PID:944
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"201⤵PID:696
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"202⤵PID:1504
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"203⤵PID:880
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"204⤵PID:2012
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"205⤵PID:908
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"206⤵PID:876
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"207⤵PID:2636
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"208⤵PID:2632
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"209⤵PID:2736
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"210⤵PID:2444
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"211⤵PID:2008
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"212⤵PID:1000
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"213⤵PID:1612
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"214⤵PID:2652
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"215⤵PID:2272
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"216⤵PID:2236
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"217⤵PID:2292
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"218⤵PID:1932
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"219⤵PID:2700
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"220⤵PID:1292
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"221⤵PID:2548
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"222⤵PID:324
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"223⤵PID:1192
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"224⤵PID:1912
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"225⤵PID:2400
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"226⤵PID:1652
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"227⤵PID:676
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"228⤵PID:2872
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"229⤵PID:1796
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"230⤵PID:2016
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"231⤵PID:740
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"232⤵PID:2148
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"233⤵PID:2920
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"234⤵PID:320
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"235⤵PID:2276
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"236⤵PID:2536
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"237⤵PID:848
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"238⤵PID:1940
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"239⤵PID:1620
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"240⤵PID:304
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"241⤵PID:552
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"242⤵PID:1720