Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 05:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
e41ae74819e7aaa64af9eb80b15e7e15
-
SHA1
47505056155c7e497bb0c147292a52db7e861e91
-
SHA256
5134df791246fd0f03be46628c026b2213e97387e6183cfae0227c84c71f8d85
-
SHA512
83e06688d1a1dacb46335b1657ebcfbdd2f4fae15c77b063f1513e1cfbad65e88451398953d234c7f29a5fd6c750ff0e1a51cdb1eb97e22184f68905f4319c36
-
SSDEEP
49152:7NrLrCNDXy0i3jqYEahU4uabffpTaKO6iCUf:7NriHi3jq74uup+oiC
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 64 IoCs
resource yara_rule behavioral2/memory/4280-2-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4280-37-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4716-40-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2940-44-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4008-47-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3476-51-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4456-56-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2724-58-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4928-62-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/1416-66-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4064-69-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3644-73-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3928-76-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/1228-80-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4364-83-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/1472-86-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3048-89-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/744-92-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2664-96-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/1836-100-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/916-103-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3644-105-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2904-109-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3284-112-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/1632-115-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3680-118-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2316-120-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/1928-122-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/676-124-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/1828-126-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3236-128-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/964-130-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2044-132-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/384-135-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4836-138-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/1696-140-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/1204-142-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/816-143-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/464-144-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4868-145-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4032-146-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2960-147-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3648-148-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/1348-149-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2836-150-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2136-151-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3956-152-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4716-153-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4784-154-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3740-155-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/940-156-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2576-157-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4712-158-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3532-159-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/3680-160-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2316-161-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4748-162-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2108-163-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2148-164-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/1564-165-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2096-166-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/932-167-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/4460-168-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 behavioral2/memory/2816-169-0x0000000000400000-0x0000000000824000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vssms32.exe -
Executes dropped EXE 64 IoCs
pid Process 4716 vssms32.exe 2940 vssms32.exe 4008 vssms32.exe 3476 vssms32.exe 4456 vssms32.exe 2724 vssms32.exe 4928 vssms32.exe 1416 vssms32.exe 4064 vssms32.exe 3644 vssms32.exe 3928 vssms32.exe 1228 vssms32.exe 4364 vssms32.exe 1472 vssms32.exe 3048 vssms32.exe 744 vssms32.exe 2664 vssms32.exe 1836 vssms32.exe 916 vssms32.exe 3644 vssms32.exe 2904 vssms32.exe 3284 vssms32.exe 1632 vssms32.exe 3680 vssms32.exe 2316 vssms32.exe 1928 vssms32.exe 676 vssms32.exe 1828 vssms32.exe 3236 vssms32.exe 964 vssms32.exe 2044 vssms32.exe 384 vssms32.exe 4836 vssms32.exe 1696 vssms32.exe 1204 vssms32.exe 816 vssms32.exe 464 vssms32.exe 4868 vssms32.exe 4032 vssms32.exe 2960 vssms32.exe 3648 vssms32.exe 1348 vssms32.exe 2836 vssms32.exe 2136 vssms32.exe 3956 vssms32.exe 4716 vssms32.exe 4784 vssms32.exe 3740 vssms32.exe 940 vssms32.exe 2576 vssms32.exe 4712 vssms32.exe 3532 vssms32.exe 3680 vssms32.exe 2316 vssms32.exe 4748 vssms32.exe 2108 vssms32.exe 2148 vssms32.exe 1564 vssms32.exe 2096 vssms32.exe 932 vssms32.exe 4460 vssms32.exe 2816 vssms32.exe 4472 vssms32.exe 4440 vssms32.exe -
Identifies Wine through registry keys 2 TTPs 64 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine vssms32.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssms32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4280 wrote to memory of 4716 4280 e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe 82 PID 4280 wrote to memory of 4716 4280 e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe 82 PID 4280 wrote to memory of 4716 4280 e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe 82 PID 4716 wrote to memory of 2940 4716 vssms32.exe 86 PID 4716 wrote to memory of 2940 4716 vssms32.exe 86 PID 4716 wrote to memory of 2940 4716 vssms32.exe 86 PID 2940 wrote to memory of 4008 2940 vssms32.exe 88 PID 2940 wrote to memory of 4008 2940 vssms32.exe 88 PID 2940 wrote to memory of 4008 2940 vssms32.exe 88 PID 4008 wrote to memory of 3476 4008 vssms32.exe 89 PID 4008 wrote to memory of 3476 4008 vssms32.exe 89 PID 4008 wrote to memory of 3476 4008 vssms32.exe 89 PID 3476 wrote to memory of 4456 3476 vssms32.exe 91 PID 3476 wrote to memory of 4456 3476 vssms32.exe 91 PID 3476 wrote to memory of 4456 3476 vssms32.exe 91 PID 4456 wrote to memory of 2724 4456 vssms32.exe 92 PID 4456 wrote to memory of 2724 4456 vssms32.exe 92 PID 4456 wrote to memory of 2724 4456 vssms32.exe 92 PID 2724 wrote to memory of 4928 2724 vssms32.exe 95 PID 2724 wrote to memory of 4928 2724 vssms32.exe 95 PID 2724 wrote to memory of 4928 2724 vssms32.exe 95 PID 4928 wrote to memory of 1416 4928 vssms32.exe 96 PID 4928 wrote to memory of 1416 4928 vssms32.exe 96 PID 4928 wrote to memory of 1416 4928 vssms32.exe 96 PID 1416 wrote to memory of 4064 1416 vssms32.exe 97 PID 1416 wrote to memory of 4064 1416 vssms32.exe 97 PID 1416 wrote to memory of 4064 1416 vssms32.exe 97 PID 4064 wrote to memory of 3644 4064 vssms32.exe 98 PID 4064 wrote to memory of 3644 4064 vssms32.exe 98 PID 4064 wrote to memory of 3644 4064 vssms32.exe 98 PID 3644 wrote to memory of 3928 3644 vssms32.exe 99 PID 3644 wrote to memory of 3928 3644 vssms32.exe 99 PID 3644 wrote to memory of 3928 3644 vssms32.exe 99 PID 3928 wrote to memory of 1228 3928 vssms32.exe 100 PID 3928 wrote to memory of 1228 3928 vssms32.exe 100 PID 3928 wrote to memory of 1228 3928 vssms32.exe 100 PID 1228 wrote to memory of 4364 1228 vssms32.exe 101 PID 1228 wrote to memory of 4364 1228 vssms32.exe 101 PID 1228 wrote to memory of 4364 1228 vssms32.exe 101 PID 4364 wrote to memory of 1472 4364 vssms32.exe 102 PID 4364 wrote to memory of 1472 4364 vssms32.exe 102 PID 4364 wrote to memory of 1472 4364 vssms32.exe 102 PID 1472 wrote to memory of 3048 1472 vssms32.exe 103 PID 1472 wrote to memory of 3048 1472 vssms32.exe 103 PID 1472 wrote to memory of 3048 1472 vssms32.exe 103 PID 3048 wrote to memory of 744 3048 vssms32.exe 104 PID 3048 wrote to memory of 744 3048 vssms32.exe 104 PID 3048 wrote to memory of 744 3048 vssms32.exe 104 PID 744 wrote to memory of 2664 744 vssms32.exe 105 PID 744 wrote to memory of 2664 744 vssms32.exe 105 PID 744 wrote to memory of 2664 744 vssms32.exe 105 PID 2664 wrote to memory of 1836 2664 vssms32.exe 106 PID 2664 wrote to memory of 1836 2664 vssms32.exe 106 PID 2664 wrote to memory of 1836 2664 vssms32.exe 106 PID 1836 wrote to memory of 916 1836 vssms32.exe 107 PID 1836 wrote to memory of 916 1836 vssms32.exe 107 PID 1836 wrote to memory of 916 1836 vssms32.exe 107 PID 916 wrote to memory of 3644 916 vssms32.exe 108 PID 916 wrote to memory of 3644 916 vssms32.exe 108 PID 916 wrote to memory of 3644 916 vssms32.exe 108 PID 3644 wrote to memory of 2904 3644 vssms32.exe 109 PID 3644 wrote to memory of 2904 3644 vssms32.exe 109 PID 3644 wrote to memory of 2904 3644 vssms32.exe 109 PID 2904 wrote to memory of 3284 2904 vssms32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e41ae74819e7aaa64af9eb80b15e7e15_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"8⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"9⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"12⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"13⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"17⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"19⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"22⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"23⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
PID:3284 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"24⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"25⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:3680 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"26⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"27⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:676 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"30⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3236 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"32⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Drops file in System32 directory
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"33⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:384 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4836 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"39⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
PID:4868 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"40⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
PID:4032 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"42⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:3648 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"43⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"45⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"46⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
PID:3956 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"47⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Drops file in System32 directory
PID:4784 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"49⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
PID:3740 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:940 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"51⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
PID:2576 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"53⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3680 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"55⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"56⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"57⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
PID:2148 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"59⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"60⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"61⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"63⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
PID:4472 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"66⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:512 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"67⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"68⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
PID:1420 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"69⤵
- Checks computer location settings
- Adds Run key to start application
PID:2792 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"70⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"71⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"72⤵
- Identifies Wine through registry keys
- Adds Run key to start application
PID:4456 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"73⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"74⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"75⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"76⤵
- Checks computer location settings
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"77⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"78⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"79⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
PID:4868 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"80⤵
- Checks computer location settings
- Identifies Wine through registry keys
PID:5036 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"81⤵
- Checks computer location settings
- Checks whether UAC is enabled
PID:424 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"82⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"83⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"84⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:3916 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"85⤵
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"86⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"87⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"88⤵
- Checks computer location settings
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"89⤵
- Drops file in System32 directory
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"90⤵
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
PID:428 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"91⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"92⤵
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"93⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"94⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4508 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"95⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"96⤵
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4352 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"98⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"99⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3372 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"100⤵
- Adds Run key to start application
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"101⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
PID:4404 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"102⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"103⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"104⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
PID:3788 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"105⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"106⤵
- Adds Run key to start application
- Modifies registry class
PID:4388 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"107⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"108⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"109⤵
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
PID:3920 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"110⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"111⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"112⤵
- Identifies Wine through registry keys
- Adds Run key to start application
PID:3232 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"113⤵
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"114⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
PID:424 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"115⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"116⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Checks whether UAC is enabled
PID:1092 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"117⤵
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"119⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"120⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3540 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"121⤵PID:2772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-