Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 07:45
Behavioral task
behavioral1
Sample
1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe
-
Size
730KB
-
MD5
1fedfc97d52dc13ed6cebde7519bf7a8
-
SHA1
a5586c63c2e4eb65ce4c3f1a3070e7e01fbba470
-
SHA256
4851611ebb2a33698be0ed454cbaf495d86925ef472c6cdc5b799e259c573b3c
-
SHA512
aa67f72731ff7045ae899d4ba2cf861149c8524c92e38de2eee0bb707745a87bff6a0c7210abdf3a3ebfb49e3d34edec4588f3ba167368c8a8b64a311aaa829e
-
SSDEEP
12288:Y9nTQAiVtuiwlF4w+dGnS0LzPgm8cryDYTS7b9ihfJEdp86nH3UqCILs9:Y9nNMmlyeS0LzgsryuS7b9ihz6Ox
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 64 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\vssms32.exe modiloader_stage2 behavioral2/memory/2876-34-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2704-37-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4440-39-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3012-41-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4576-43-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3488-45-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4432-47-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3496-49-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1084-51-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4540-53-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1892-55-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4788-57-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3544-59-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/972-61-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3908-64-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3272-66-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1468-68-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2592-71-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4840-73-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2136-75-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2704-77-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2412-79-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3356-81-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1376-84-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1988-86-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1356-88-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1824-90-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2172-92-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1892-94-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1172-96-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3544-99-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4544-101-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/208-103-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1160-105-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1520-107-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1936-108-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2456-109-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4168-110-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4264-111-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1924-112-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1620-113-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2324-114-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2676-115-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1756-116-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2320-117-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/632-118-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4860-119-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2172-120-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/5036-121-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4992-122-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4008-123-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/972-124-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3908-125-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4824-126-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1928-127-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3248-128-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/2084-129-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3736-130-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/228-131-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/5020-132-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/1780-133-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/3644-134-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 behavioral2/memory/4556-135-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exe1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vssms32.exe -
Executes dropped EXE 64 IoCs
Processes:
vssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exepid process 2704 vssms32.exe 4440 vssms32.exe 3012 vssms32.exe 4576 vssms32.exe 3488 vssms32.exe 4432 vssms32.exe 3496 vssms32.exe 1084 vssms32.exe 4540 vssms32.exe 1892 vssms32.exe 4788 vssms32.exe 3544 vssms32.exe 972 vssms32.exe 3908 vssms32.exe 3272 vssms32.exe 1468 vssms32.exe 2592 vssms32.exe 4840 vssms32.exe 2136 vssms32.exe 2704 vssms32.exe 2412 vssms32.exe 3356 vssms32.exe 1376 vssms32.exe 1988 vssms32.exe 1356 vssms32.exe 1824 vssms32.exe 2172 vssms32.exe 1892 vssms32.exe 1172 vssms32.exe 3544 vssms32.exe 4544 vssms32.exe 208 vssms32.exe 1160 vssms32.exe 1520 vssms32.exe 1936 vssms32.exe 2456 vssms32.exe 4168 vssms32.exe 4264 vssms32.exe 1924 vssms32.exe 1620 vssms32.exe 2324 vssms32.exe 2676 vssms32.exe 1756 vssms32.exe 2320 vssms32.exe 632 vssms32.exe 4860 vssms32.exe 2172 vssms32.exe 5036 vssms32.exe 4992 vssms32.exe 4008 vssms32.exe 972 vssms32.exe 3908 vssms32.exe 4824 vssms32.exe 1928 vssms32.exe 3248 vssms32.exe 2084 vssms32.exe 3736 vssms32.exe 228 vssms32.exe 5020 vssms32.exe 1780 vssms32.exe 3644 vssms32.exe 4556 vssms32.exe 5040 vssms32.exe 1376 vssms32.exe -
Adds Run key to start application 2 TTPs 64 IoCs
Processes:
vssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exe1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe -
Drops file in System32 directory 64 IoCs
Processes:
vssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exe1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
Processes:
vssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exevssms32.exedescription pid process target process PID 2876 wrote to memory of 2704 2876 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe vssms32.exe PID 2876 wrote to memory of 2704 2876 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe vssms32.exe PID 2876 wrote to memory of 2704 2876 1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe vssms32.exe PID 2704 wrote to memory of 4440 2704 vssms32.exe vssms32.exe PID 2704 wrote to memory of 4440 2704 vssms32.exe vssms32.exe PID 2704 wrote to memory of 4440 2704 vssms32.exe vssms32.exe PID 4440 wrote to memory of 3012 4440 vssms32.exe vssms32.exe PID 4440 wrote to memory of 3012 4440 vssms32.exe vssms32.exe PID 4440 wrote to memory of 3012 4440 vssms32.exe vssms32.exe PID 3012 wrote to memory of 4576 3012 vssms32.exe vssms32.exe PID 3012 wrote to memory of 4576 3012 vssms32.exe vssms32.exe PID 3012 wrote to memory of 4576 3012 vssms32.exe vssms32.exe PID 4576 wrote to memory of 3488 4576 vssms32.exe vssms32.exe PID 4576 wrote to memory of 3488 4576 vssms32.exe vssms32.exe PID 4576 wrote to memory of 3488 4576 vssms32.exe vssms32.exe PID 3488 wrote to memory of 4432 3488 vssms32.exe vssms32.exe PID 3488 wrote to memory of 4432 3488 vssms32.exe vssms32.exe PID 3488 wrote to memory of 4432 3488 vssms32.exe vssms32.exe PID 4432 wrote to memory of 3496 4432 vssms32.exe vssms32.exe PID 4432 wrote to memory of 3496 4432 vssms32.exe vssms32.exe PID 4432 wrote to memory of 3496 4432 vssms32.exe vssms32.exe PID 3496 wrote to memory of 1084 3496 vssms32.exe vssms32.exe PID 3496 wrote to memory of 1084 3496 vssms32.exe vssms32.exe PID 3496 wrote to memory of 1084 3496 vssms32.exe vssms32.exe PID 1084 wrote to memory of 4540 1084 vssms32.exe vssms32.exe PID 1084 wrote to memory of 4540 1084 vssms32.exe vssms32.exe PID 1084 wrote to memory of 4540 1084 vssms32.exe vssms32.exe PID 4540 wrote to memory of 1892 4540 vssms32.exe vssms32.exe PID 4540 wrote to memory of 1892 4540 vssms32.exe vssms32.exe PID 4540 wrote to memory of 1892 4540 vssms32.exe vssms32.exe PID 1892 wrote to memory of 4788 1892 vssms32.exe vssms32.exe PID 1892 wrote to memory of 4788 1892 vssms32.exe vssms32.exe PID 1892 wrote to memory of 4788 1892 vssms32.exe vssms32.exe PID 4788 wrote to memory of 3544 4788 vssms32.exe vssms32.exe PID 4788 wrote to memory of 3544 4788 vssms32.exe vssms32.exe PID 4788 wrote to memory of 3544 4788 vssms32.exe vssms32.exe PID 3544 wrote to memory of 972 3544 vssms32.exe vssms32.exe PID 3544 wrote to memory of 972 3544 vssms32.exe vssms32.exe PID 3544 wrote to memory of 972 3544 vssms32.exe vssms32.exe PID 972 wrote to memory of 3908 972 vssms32.exe vssms32.exe PID 972 wrote to memory of 3908 972 vssms32.exe vssms32.exe PID 972 wrote to memory of 3908 972 vssms32.exe vssms32.exe PID 3908 wrote to memory of 3272 3908 vssms32.exe vssms32.exe PID 3908 wrote to memory of 3272 3908 vssms32.exe vssms32.exe PID 3908 wrote to memory of 3272 3908 vssms32.exe vssms32.exe PID 3272 wrote to memory of 1468 3272 vssms32.exe vssms32.exe PID 3272 wrote to memory of 1468 3272 vssms32.exe vssms32.exe PID 3272 wrote to memory of 1468 3272 vssms32.exe vssms32.exe PID 1468 wrote to memory of 2592 1468 vssms32.exe vssms32.exe PID 1468 wrote to memory of 2592 1468 vssms32.exe vssms32.exe PID 1468 wrote to memory of 2592 1468 vssms32.exe vssms32.exe PID 2592 wrote to memory of 4840 2592 vssms32.exe vssms32.exe PID 2592 wrote to memory of 4840 2592 vssms32.exe vssms32.exe PID 2592 wrote to memory of 4840 2592 vssms32.exe vssms32.exe PID 4840 wrote to memory of 2136 4840 vssms32.exe vssms32.exe PID 4840 wrote to memory of 2136 4840 vssms32.exe vssms32.exe PID 4840 wrote to memory of 2136 4840 vssms32.exe vssms32.exe PID 2136 wrote to memory of 2704 2136 vssms32.exe vssms32.exe PID 2136 wrote to memory of 2704 2136 vssms32.exe vssms32.exe PID 2136 wrote to memory of 2704 2136 vssms32.exe vssms32.exe PID 2704 wrote to memory of 2412 2704 vssms32.exe vssms32.exe PID 2704 wrote to memory of 2412 2704 vssms32.exe vssms32.exe PID 2704 wrote to memory of 2412 2704 vssms32.exe vssms32.exe PID 2412 wrote to memory of 3356 2412 vssms32.exe vssms32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fedfc97d52dc13ed6cebde7519bf7a8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"10⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"13⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"19⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"24⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1988 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"28⤵
- Executes dropped EXE
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"29⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"31⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3544 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"33⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"34⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"36⤵
- Executes dropped EXE
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"38⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"40⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"41⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"43⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"44⤵
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"46⤵
- Executes dropped EXE
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"47⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"49⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5036 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4992 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"51⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"52⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"53⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4824 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"55⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"56⤵
- Executes dropped EXE
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"58⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"59⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"60⤵
- Executes dropped EXE
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"61⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"62⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3644 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4556 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"64⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"66⤵PID:1640
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"67⤵
- Adds Run key to start application
PID:8 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"68⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"69⤵
- Drops file in System32 directory
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"70⤵
- Drops file in System32 directory
- Modifies registry class
PID:4196 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"71⤵PID:3584
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"72⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"73⤵
- Adds Run key to start application
PID:1448 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"74⤵
- Checks computer location settings
PID:1876 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"75⤵PID:4864
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"76⤵PID:4460
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"77⤵PID:3564
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"78⤵
- Checks computer location settings
PID:3232 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"79⤵
- Adds Run key to start application
PID:2116 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"80⤵
- Adds Run key to start application
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"81⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"82⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"83⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"84⤵PID:4532
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"85⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"86⤵PID:1992
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"87⤵
- Modifies registry class
PID:4244 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"88⤵PID:2412
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"89⤵
- Checks computer location settings
PID:3764 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"90⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"91⤵PID:2624
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"92⤵PID:2580
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"93⤵
- Checks computer location settings
- Modifies registry class
PID:4996 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"94⤵
- Adds Run key to start application
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"95⤵PID:1028
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"96⤵
- Adds Run key to start application
PID:1960 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"97⤵
- Adds Run key to start application
PID:5112 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"98⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"99⤵
- Checks computer location settings
PID:2900 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"100⤵PID:2060
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"101⤵
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"102⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"103⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"104⤵PID:4788
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"105⤵
- Checks computer location settings
- Adds Run key to start application
PID:1468 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"106⤵PID:2480
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"107⤵
- Checks computer location settings
PID:4872 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"108⤵PID:3328
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"109⤵PID:1904
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"110⤵PID:3128
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"111⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"112⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"113⤵
- Checks computer location settings
PID:1020 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"114⤵
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"115⤵
- Checks computer location settings
- Adds Run key to start application
PID:1988 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"116⤵
- Adds Run key to start application
PID:808 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"117⤵PID:3148
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"118⤵
- Drops file in System32 directory
PID:4952 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"119⤵PID:3044
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"120⤵
- Checks computer location settings
PID:4860 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"121⤵PID:3008
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"122⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3436 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"123⤵
- Adds Run key to start application
PID:728 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"124⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"125⤵
- Modifies registry class
PID:3100 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"126⤵
- Drops file in System32 directory
PID:4216 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"127⤵
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"128⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"129⤵PID:4292
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"130⤵
- Checks computer location settings
PID:5000 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"131⤵
- Checks computer location settings
PID:2692 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"132⤵
- Checks computer location settings
PID:2480 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"133⤵PID:2084
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"134⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3328 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"135⤵PID:2364
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"136⤵
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"137⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"138⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"139⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"140⤵PID:4516
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"141⤵PID:2768
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"142⤵
- Checks computer location settings
PID:2452 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"143⤵PID:3932
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"144⤵PID:1572
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"145⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"146⤵
- Checks computer location settings
- Modifies registry class
PID:4952 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"147⤵PID:616
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"148⤵PID:2172
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"149⤵
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"150⤵PID:1604
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"151⤵
- Adds Run key to start application
PID:1636 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"152⤵
- Adds Run key to start application
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"153⤵
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"154⤵
- Adds Run key to start application
- Modifies registry class
PID:4544 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"155⤵PID:4460
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"156⤵PID:2408
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"157⤵
- Modifies registry class
PID:4788 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"158⤵
- Checks computer location settings
PID:2524 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"159⤵
- Drops file in System32 directory
PID:660 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"160⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"161⤵PID:1520
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"162⤵PID:2044
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"163⤵PID:3820
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"164⤵
- Checks computer location settings
- Modifies registry class
PID:708 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"165⤵PID:1480
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"166⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3656 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"167⤵
- Adds Run key to start application
- Modifies registry class
PID:4840 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"168⤵
- Checks computer location settings
PID:2664 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"169⤵PID:3704
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"170⤵PID:1012
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"171⤵
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"172⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"173⤵
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"174⤵
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"175⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"176⤵
- Checks computer location settings
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"177⤵PID:928
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"178⤵
- Checks computer location settings
- Adds Run key to start application
PID:1532 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"179⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4836 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"180⤵PID:3860
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"181⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"182⤵PID:1160
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"183⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:3732 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"184⤵
- Adds Run key to start application
PID:4872 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"185⤵
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"186⤵
- Checks computer location settings
PID:4588 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"187⤵
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"188⤵PID:4524
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"189⤵PID:2676
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"190⤵PID:2220
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"191⤵PID:2164
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"192⤵
- Modifies registry class
PID:3316 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"193⤵PID:744
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"194⤵PID:944
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"195⤵
- Checks computer location settings
PID:2544 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"196⤵PID:1788
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"197⤵
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"198⤵
- Adds Run key to start application
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"199⤵PID:1960
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"200⤵
- Checks computer location settings
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"201⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"202⤵PID:2900
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"203⤵PID:4544
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"204⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"205⤵
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"206⤵
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"207⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"208⤵
- Adds Run key to start application
PID:2116 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"209⤵
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"210⤵PID:3772
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"211⤵
- Checks computer location settings
- Adds Run key to start application
PID:4900 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"212⤵
- Checks computer location settings
- Adds Run key to start application
PID:2112 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"213⤵
- Checks computer location settings
- Adds Run key to start application
PID:1528 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"214⤵
- Adds Run key to start application
PID:1668 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"215⤵
- Adds Run key to start application
PID:4940 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"216⤵
- Checks computer location settings
PID:1620 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"217⤵PID:1156
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"218⤵
- Checks computer location settings
- Adds Run key to start application
PID:4604 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"219⤵PID:956
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"220⤵
- Adds Run key to start application
PID:1572 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"221⤵PID:2188
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"222⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"223⤵
- Modifies registry class
PID:4704 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"224⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"225⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"226⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"227⤵
- Checks computer location settings
PID:3896 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"228⤵
- Modifies registry class
PID:4528 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"229⤵PID:3584
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"230⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3980 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"231⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"232⤵
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"233⤵
- Modifies registry class
PID:4272 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"234⤵
- Checks computer location settings
PID:1760 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"235⤵
- Adds Run key to start application
PID:1592 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"236⤵PID:3152
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"237⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"238⤵PID:1160
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"239⤵PID:3784
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"240⤵PID:2704
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"241⤵PID:4556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
730KB
MD51fedfc97d52dc13ed6cebde7519bf7a8
SHA1a5586c63c2e4eb65ce4c3f1a3070e7e01fbba470
SHA2564851611ebb2a33698be0ed454cbaf495d86925ef472c6cdc5b799e259c573b3c
SHA512aa67f72731ff7045ae899d4ba2cf861149c8524c92e38de2eee0bb707745a87bff6a0c7210abdf3a3ebfb49e3d34edec4588f3ba167368c8a8b64a311aaa829e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e