modiloader | 5134df791246fd0f03be46628c026b2213e97387e6183cfae0227c84c71f8d85

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe
Size

1.7MB
MD5

e41ae74819e7aaa64af9eb80b15e7e15
SHA1

47505056155c7e497bb0c147292a52db7e861e91
SHA256

5134df791246fd0f03be46628c026b2213e97387e6183cfae0227c84c71f8d85
SHA512

83e06688d1a1dacb46335b1657ebcfbdd2f4fae15c77b063f1513e1cfbad65e88451398953d234c7f29a5fd6c750ff0e1a51cdb1eb97e22184f68905f4319c36
SSDEEP

49152:7NrLrCNDXy0i3jqYEahU4uabffpTaKO6iCUf:7NriHi3jq74uup+oiC

Score

10^/10

modiloader defense_evasion discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 64 IoCs

resource	yara_rule
behavioral1/memory/2420-12-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2820-22-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/476-28-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-37-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1344-44-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2796-50-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1704-61-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2432-67-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2520-71-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2792-75-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-76-0x0000000007CE0000-0x0000000008104000-memory.dmp	modiloader_stage2
behavioral1/memory/2800-80-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2904-84-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/984-88-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1300-92-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/944-96-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2796-97-0x00000000079E0000-0x0000000007E04000-memory.dmp	modiloader_stage2
behavioral1/memory/1480-101-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1204-102-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2376-103-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2740-104-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2824-105-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1948-106-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/828-107-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1856-108-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2404-109-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1860-110-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1592-111-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2808-112-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2720-113-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2368-114-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1640-115-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2904-116-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/896-117-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2288-118-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1300-119-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2928-120-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2424-121-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/3064-122-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2900-123-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1400-124-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-125-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2056-126-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-127-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2684-128-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1964-129-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1716-130-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1244-131-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1348-132-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2892-133-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2384-134-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1260-135-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2780-136-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/820-137-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-138-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1520-139-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-140-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-141-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1396-142-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2920-143-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-144-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1652-145-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/2676-146-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-147-0x0000000000400000-0x0000000000824000-memory.dmp	modiloader_stage2

Executes dropped EXE 64 IoCs

pid	Process
2820	vssms32.exe
476	vssms32.exe
2712	vssms32.exe
1344	vssms32.exe
2796	vssms32.exe
1704	vssms32.exe
2432	vssms32.exe
2520	vssms32.exe
2792	vssms32.exe
2800	vssms32.exe
2904	vssms32.exe
984	vssms32.exe
1300	vssms32.exe
944	vssms32.exe
1480	vssms32.exe
1204	vssms32.exe
2376	vssms32.exe
2740	vssms32.exe
2824	vssms32.exe
1948	vssms32.exe
828	vssms32.exe
1856	vssms32.exe
2404	vssms32.exe
1860	vssms32.exe
1592	vssms32.exe
2808	vssms32.exe
2720	vssms32.exe
2368	vssms32.exe
1640	vssms32.exe
2904	vssms32.exe
896	vssms32.exe
2288	vssms32.exe
1300	vssms32.exe
2928	vssms32.exe
2424	vssms32.exe
3064	vssms32.exe
2900	vssms32.exe
1400	vssms32.exe
2964	vssms32.exe
2056	vssms32.exe
3000	vssms32.exe
2684	vssms32.exe
1964	vssms32.exe
1716	vssms32.exe
1244	vssms32.exe
1348	vssms32.exe
2892	vssms32.exe
2384	vssms32.exe
1260	vssms32.exe
2780	vssms32.exe
820	vssms32.exe
1248	vssms32.exe
1520	vssms32.exe
2752	vssms32.exe
2052	vssms32.exe
1396	vssms32.exe
2920	vssms32.exe
2316	vssms32.exe
1652	vssms32.exe
2676	vssms32.exe
1548	vssms32.exe
1476	vssms32.exe
3032	vssms32.exe
2828	vssms32.exe

Identifies Wine through registry keys 2 TTPs 64 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	vssms32.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe

Loads dropped DLL 64 IoCs

pid	Process
2420	e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe
2420	e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe
2820	vssms32.exe
2820	vssms32.exe
476	vssms32.exe
476	vssms32.exe
2712	vssms32.exe
2712	vssms32.exe
1344	vssms32.exe
1344	vssms32.exe
2796	vssms32.exe
2796	vssms32.exe
1704	vssms32.exe
1704	vssms32.exe
2432	vssms32.exe
2432	vssms32.exe
2520	vssms32.exe
2520	vssms32.exe
2792	vssms32.exe
2792	vssms32.exe
2800	vssms32.exe
2800	vssms32.exe
2904	vssms32.exe
2904	vssms32.exe
984	vssms32.exe
984	vssms32.exe
1300	vssms32.exe
1300	vssms32.exe
944	vssms32.exe
944	vssms32.exe
1480	vssms32.exe
1480	vssms32.exe
1204	vssms32.exe
1204	vssms32.exe
2376	vssms32.exe
2376	vssms32.exe
2740	vssms32.exe
2740	vssms32.exe
2824	vssms32.exe
2824	vssms32.exe
1948	vssms32.exe
1948	vssms32.exe
828	vssms32.exe
828	vssms32.exe
1856	vssms32.exe
1856	vssms32.exe
2404	vssms32.exe
2404	vssms32.exe
1860	vssms32.exe
1860	vssms32.exe
1592	vssms32.exe
1592	vssms32.exe
2808	vssms32.exe
2808	vssms32.exe
2720	vssms32.exe
2720	vssms32.exe
2368	vssms32.exe
2368	vssms32.exe
1640	vssms32.exe
1640	vssms32.exe
2904	vssms32.exe
2904	vssms32.exe
896	vssms32.exe
896	vssms32.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vssms32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2820	2420	e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2820	2420	e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2820	2420	e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2820	2420	e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe	30
PID 2820 wrote to memory of 476	2820	vssms32.exe	31
PID 2820 wrote to memory of 476	2820	vssms32.exe	31
PID 2820 wrote to memory of 476	2820	vssms32.exe	31
PID 2820 wrote to memory of 476	2820	vssms32.exe	31
PID 476 wrote to memory of 2712	476	vssms32.exe	32
PID 476 wrote to memory of 2712	476	vssms32.exe	32
PID 476 wrote to memory of 2712	476	vssms32.exe	32
PID 476 wrote to memory of 2712	476	vssms32.exe	32
PID 2712 wrote to memory of 1344	2712	vssms32.exe	33
PID 2712 wrote to memory of 1344	2712	vssms32.exe	33
PID 2712 wrote to memory of 1344	2712	vssms32.exe	33
PID 2712 wrote to memory of 1344	2712	vssms32.exe	33
PID 1344 wrote to memory of 2796	1344	vssms32.exe	34
PID 1344 wrote to memory of 2796	1344	vssms32.exe	34
PID 1344 wrote to memory of 2796	1344	vssms32.exe	34
PID 1344 wrote to memory of 2796	1344	vssms32.exe	34
PID 2796 wrote to memory of 1704	2796	vssms32.exe	35
PID 2796 wrote to memory of 1704	2796	vssms32.exe	35
PID 2796 wrote to memory of 1704	2796	vssms32.exe	35
PID 2796 wrote to memory of 1704	2796	vssms32.exe	35
PID 1704 wrote to memory of 2432	1704	vssms32.exe	36
PID 1704 wrote to memory of 2432	1704	vssms32.exe	36
PID 1704 wrote to memory of 2432	1704	vssms32.exe	36
PID 1704 wrote to memory of 2432	1704	vssms32.exe	36
PID 2432 wrote to memory of 2520	2432	vssms32.exe	37
PID 2432 wrote to memory of 2520	2432	vssms32.exe	37
PID 2432 wrote to memory of 2520	2432	vssms32.exe	37
PID 2432 wrote to memory of 2520	2432	vssms32.exe	37
PID 2520 wrote to memory of 2792	2520	vssms32.exe	38
PID 2520 wrote to memory of 2792	2520	vssms32.exe	38
PID 2520 wrote to memory of 2792	2520	vssms32.exe	38
PID 2520 wrote to memory of 2792	2520	vssms32.exe	38
PID 2792 wrote to memory of 2800	2792	vssms32.exe	39
PID 2792 wrote to memory of 2800	2792	vssms32.exe	39
PID 2792 wrote to memory of 2800	2792	vssms32.exe	39
PID 2792 wrote to memory of 2800	2792	vssms32.exe	39
PID 2800 wrote to memory of 2904	2800	vssms32.exe	60
PID 2800 wrote to memory of 2904	2800	vssms32.exe	60
PID 2800 wrote to memory of 2904	2800	vssms32.exe	60
PID 2800 wrote to memory of 2904	2800	vssms32.exe	60
PID 2904 wrote to memory of 984	2904	vssms32.exe	41
PID 2904 wrote to memory of 984	2904	vssms32.exe	41
PID 2904 wrote to memory of 984	2904	vssms32.exe	41
PID 2904 wrote to memory of 984	2904	vssms32.exe	41
PID 984 wrote to memory of 1300	984	vssms32.exe	42
PID 984 wrote to memory of 1300	984	vssms32.exe	42
PID 984 wrote to memory of 1300	984	vssms32.exe	42
PID 984 wrote to memory of 1300	984	vssms32.exe	42
PID 1300 wrote to memory of 944	1300	vssms32.exe	43
PID 1300 wrote to memory of 944	1300	vssms32.exe	43
PID 1300 wrote to memory of 944	1300	vssms32.exe	43
PID 1300 wrote to memory of 944	1300	vssms32.exe	43
PID 944 wrote to memory of 1480	944	vssms32.exe	44
PID 944 wrote to memory of 1480	944	vssms32.exe	44
PID 944 wrote to memory of 1480	944	vssms32.exe	44
PID 944 wrote to memory of 1480	944	vssms32.exe	44
PID 1480 wrote to memory of 1204	1480	vssms32.exe	45
PID 1480 wrote to memory of 1204	1480	vssms32.exe	45
PID 1480 wrote to memory of 1204	1480	vssms32.exe	45
PID 1480 wrote to memory of 1204	1480	vssms32.exe	45

C:\Users\Admin\AppData\Local\Temp\e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe"
1⤵
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\vssms32.exe
  "C:\Windows\system32\vssms32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\vssms32.exe
    "C:\Windows\system32\vssms32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:476
  - - C:\Windows\SysWOW64\vssms32.exe
      "C:\Windows\system32\vssms32.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        13⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        15⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:828
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1856
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        
        PID:2404
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        
        PID:2720
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        30⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Checks whether UAC is enabled
        
        PID:1640
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:896
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        33⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        34⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        35⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2424
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        38⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2900
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        40⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2964
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        42⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3000
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        44⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:1964
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        45⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        48⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        49⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        50⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        53⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        54⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2752
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        56⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2052
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        57⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        
        PID:1396
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        58⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        59⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1652
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        61⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:2676
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        62⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        63⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        64⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        65⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2828
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        66⤵
        Identifies Wine through registry keys
        
        PID:3040
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        67⤵
        Checks whether UAC is enabled
        
        PID:2936
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        68⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        69⤵
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        70⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        Checks whether UAC is enabled
        
        PID:2712
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        71⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        72⤵
        Adds Run key to start application
        
        PID:820
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        73⤵
        Identifies Wine through registry keys
        
        PID:1732
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        74⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        75⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        76⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        77⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:1396
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        78⤵
        Identifies Wine through registry keys
        
        PID:2844
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        79⤵
        Identifies Wine through registry keys
        
        PID:2316
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        80⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        81⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        82⤵
        Adds Run key to start application
        
        PID:2980
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        83⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        84⤵
        Identifies Wine through registry keys
        
        PID:2572
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        86⤵
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        87⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        88⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        89⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        90⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        
        PID:1888
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        91⤵
        Adds Run key to start application
        
        PID:1248
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        92⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        93⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        94⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        95⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        
        PID:2636
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        96⤵
        Checks whether UAC is enabled
        
        PID:3044
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        97⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        
        PID:2344
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        98⤵
        Checks whether UAC is enabled
        
        PID:2904
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        99⤵
        Checks whether UAC is enabled
        
        PID:2316
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        100⤵
        Adds Run key to start application
        
        PID:2236
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        101⤵
        Identifies Wine through registry keys
        
        PID:2732
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        102⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        Checks whether UAC is enabled
        
        PID:2676
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        103⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        104⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        
        PID:1864
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        105⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        106⤵
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        107⤵
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        108⤵
        Drops file in System32 directory
        
        PID:324
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        109⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        110⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        111⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        112⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        113⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        114⤵
        Checks whether UAC is enabled
        
        PID:2816
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        115⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        116⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        117⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        118⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        120⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        122⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        123⤵
        Checks whether UAC is enabled
        
        PID:1616
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        124⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        
        PID:1668
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        126⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        127⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        128⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        129⤵
        Identifies Wine through registry keys
        
        PID:352
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        130⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        131⤵
        Adds Run key to start application
        
        PID:2276
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        132⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        133⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        134⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        135⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        136⤵
        Checks whether UAC is enabled
        
        PID:2160
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        138⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        139⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        140⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        141⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        
        PID:1508
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        142⤵
        Identifies Wine through registry keys
        
        PID:2584
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        143⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        144⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        
        PID:1672
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        145⤵
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        146⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        147⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        148⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        
        PID:476
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        149⤵
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        150⤵
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        151⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:492
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        152⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        Checks whether UAC is enabled
        
        PID:2128
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        153⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        154⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        155⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        156⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        
        PID:984
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        157⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        158⤵
        Identifies Wine through registry keys
        
        PID:324
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        159⤵
        Identifies Wine through registry keys
        
        PID:936
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        161⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        162⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        
        PID:1124
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        163⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        164⤵
        Checks whether UAC is enabled
        
        PID:1148
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        166⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        167⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        
        PID:2636
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        168⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        169⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        170⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        171⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        
        PID:2504
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        173⤵
        Adds Run key to start application
        
        PID:2316
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        174⤵
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        175⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        176⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        177⤵
        Identifies Wine through registry keys
        Adds Run key to start application
        
        PID:2916
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        178⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        179⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        180⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        181⤵
        Adds Run key to start application
        
        PID:1464
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        182⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        183⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        184⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        186⤵
        Identifies Wine through registry keys
        
        PID:2280
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        187⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        188⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        189⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        
        PID:760
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        190⤵
        Identifies Wine through registry keys
        
        PID:2328
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        191⤵
        
        PID:916
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        192⤵
        Adds Run key to start application
        Checks whether UAC is enabled
        
        PID:2332
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        193⤵
        
        PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\vssms32.exe

Filesize
1.7MB

MD5
e41ae74819e7aaa64af9eb80b15e7e15

SHA1
47505056155c7e497bb0c147292a52db7e861e91

SHA256
5134df791246fd0f03be46628c026b2213e97387e6183cfae0227c84c71f8d85

SHA512
83e06688d1a1dacb46335b1657ebcfbdd2f4fae15c77b063f1513e1cfbad65e88451398953d234c7f29a5fd6c750ff0e1a51cdb1eb97e22184f68905f4319c36

Download Submit
memory/476-20-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/476-29-0x00000000079B0000-0x0000000007DD4000-memory.dmp

Filesize
4.1MB

Download
memory/476-28-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/820-137-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/828-107-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/896-117-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/944-96-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/984-88-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1204-102-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1244-131-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1248-138-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1260-135-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1300-119-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1300-92-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1344-35-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1344-42-0x00000000078E0000-0x0000000007D04000-memory.dmp

Filesize
4.1MB

Download
memory/1344-44-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1348-132-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1396-142-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1400-124-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1476-148-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1480-101-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1520-139-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1548-147-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1592-111-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1640-115-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1652-145-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1704-61-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1704-59-0x0000000007990000-0x0000000007DB4000-memory.dmp

Filesize
4.1MB

Download
memory/1704-56-0x0000000007990000-0x0000000007DB4000-memory.dmp

Filesize
4.1MB

Download
memory/1704-52-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1716-130-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1856-108-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1860-110-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1948-106-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1964-129-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2052-141-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2056-126-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2288-118-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2316-144-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2368-114-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2376-103-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2384-134-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2404-109-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2420-12-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2420-0-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2420-1-0x00000000755C1000-0x00000000755C2000-memory.dmp

Filesize
4KB

Download
memory/2424-121-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2432-57-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2432-66-0x0000000007BC0000-0x0000000007FE4000-memory.dmp

Filesize
4.1MB

Download
memory/2432-67-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2520-71-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2676-146-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2684-128-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2712-76-0x0000000007CE0000-0x0000000008104000-memory.dmp

Filesize
4.1MB

Download
memory/2712-37-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2712-38-0x0000000007CE0000-0x0000000008104000-memory.dmp

Filesize
4.1MB

Download
memory/2712-34-0x0000000007CE0000-0x0000000008104000-memory.dmp

Filesize
4.1MB

Download
memory/2712-30-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2720-113-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2740-104-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2752-140-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2780-136-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2792-75-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2796-97-0x00000000079E0000-0x0000000007E04000-memory.dmp

Filesize
4.1MB

Download
memory/2796-45-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2796-50-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2796-51-0x00000000079E0000-0x0000000007E04000-memory.dmp

Filesize
4.1MB

Download
memory/2800-80-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2808-112-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2820-14-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2820-19-0x0000000007970000-0x0000000007D94000-memory.dmp

Filesize
4.1MB

Download
memory/2820-58-0x0000000007970000-0x0000000007D94000-memory.dmp

Filesize
4.1MB

Download
memory/2820-22-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2820-23-0x0000000007970000-0x0000000007D94000-memory.dmp

Filesize
4.1MB

Download
memory/2824-105-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2892-133-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2900-123-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2904-116-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2904-84-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2920-143-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2928-120-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/2964-125-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/3000-127-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/3032-149-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/3064-122-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads