modiloader | c17b0155835f3d7341bb4a1adbeb9a2e0f734bcad1a7b5ce4a561431f7b81826

Analysis

max time kernel
69s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe
Size

307KB
MD5

87ea68c14a0af1ec0daa761af999f0c7
SHA1

13b7b30e65d8e068da1a620434c7881698cd3e63
SHA256

c17b0155835f3d7341bb4a1adbeb9a2e0f734bcad1a7b5ce4a561431f7b81826
SHA512

24e4eb7bac6dba582da3c4281d69b8576ace95df6862267355575ba43bb83560371c9a1a0bbd204be60664f7b7d741df362555f4118a01558b1764d073516c9c
SSDEEP

6144:v4KbG08oU3A+ZkGL0y6rACSqfe7vQ9+/hxwOaQJQ5dhhzdtG3:vLn8V3EGAJi/++ZxvQ/Hza

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 64 IoCs

resource	yara_rule
behavioral2/memory/4868-35-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/3440-38-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4868-42-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1736-44-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/2972-47-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/2656-50-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1388-53-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/5060-56-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1880-59-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1464-61-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/452-64-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/228-67-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-71-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4064-74-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4680-78-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4352-81-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1080-85-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/2308-88-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/2336-90-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1764-93-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/5016-96-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/652-99-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/708-102-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4716-105-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/904-107-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/3328-109-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4596-111-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/3328-114-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4220-117-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4876-120-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/3336-123-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4364-127-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4352-130-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1968-133-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/3048-137-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/2616-139-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4168-141-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/3184-144-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1148-146-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4676-148-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1492-150-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/3928-152-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4880-153-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/2672-155-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4020-157-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/2716-159-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/3236-160-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/452-162-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4220-164-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1652-166-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4416-167-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-168-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4928-170-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1468-172-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4888-173-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1980-175-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/1592-177-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/2668-179-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/552-180-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/2432-182-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/2028-184-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/4476-186-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/3100-188-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral2/memory/2716-190-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vssms32.exe

Executes dropped EXE 64 IoCs

pid	Process
4868	vssms32.exe
1736	vssms32.exe
2972	vssms32.exe
2656	vssms32.exe
1388	vssms32.exe
5060	vssms32.exe
1880	vssms32.exe
1464	vssms32.exe
452	vssms32.exe
228	vssms32.exe
4688	vssms32.exe
4064	vssms32.exe
4680	vssms32.exe
4352	vssms32.exe
1080	vssms32.exe
2308	vssms32.exe
2336	vssms32.exe
1764	vssms32.exe
5016	vssms32.exe
652	vssms32.exe
708	vssms32.exe
4716	vssms32.exe
904	vssms32.exe
4596	vssms32.exe
3328	vssms32.exe
4220	vssms32.exe
4876	vssms32.exe
3336	vssms32.exe
4364	vssms32.exe
4352	vssms32.exe
1968	vssms32.exe
3048	vssms32.exe
2616	vssms32.exe
4168	vssms32.exe
3184	vssms32.exe
1148	vssms32.exe
4676	vssms32.exe
1492	vssms32.exe
3928	vssms32.exe
4880	vssms32.exe
2672	vssms32.exe
4020	vssms32.exe
2716	vssms32.exe
3236	vssms32.exe
452	vssms32.exe
4220	vssms32.exe
1652	vssms32.exe
4416	vssms32.exe
4748	vssms32.exe
4928	vssms32.exe
1468	vssms32.exe
4888	vssms32.exe
1980	vssms32.exe
1592	vssms32.exe
2668	vssms32.exe
552	vssms32.exe
2432	vssms32.exe
2028	vssms32.exe
4476	vssms32.exe
3100	vssms32.exe
2716	vssms32.exe
3456	vssms32.exe
5068	vssms32.exe
1588	vssms32.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3440-0-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/files/0x0008000000023ca7-6.dat	upx
behavioral2/memory/4868-35-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/3440-38-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1736-40-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4868-42-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1736-44-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/2972-47-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/2656-50-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1388-53-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/5060-56-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1880-59-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1464-61-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/452-64-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/228-67-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4688-71-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4064-74-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4680-78-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4352-81-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1080-85-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/2308-88-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/2336-90-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1764-93-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/5016-96-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/652-99-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4716-101-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/708-102-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4716-105-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/904-107-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/3328-109-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4596-111-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/3328-114-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4220-117-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4876-120-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/3336-123-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4364-127-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4352-130-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1968-133-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/3048-137-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/2616-139-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4168-141-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/3184-144-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1148-146-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4676-148-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1492-150-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/3928-152-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4880-153-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/2672-155-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4020-157-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/2716-159-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/3236-160-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/452-162-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4220-164-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1652-166-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4416-167-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4748-168-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4928-170-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1468-172-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4888-173-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1980-175-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/1592-177-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/2668-179-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/552-180-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/2432-182-0x0000000000400000-0x00000000004C3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4868	3440	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe	86
PID 3440 wrote to memory of 4868	3440	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe	86
PID 3440 wrote to memory of 4868	3440	87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe	86
PID 4868 wrote to memory of 1736	4868	vssms32.exe	87
PID 4868 wrote to memory of 1736	4868	vssms32.exe	87
PID 4868 wrote to memory of 1736	4868	vssms32.exe	87
PID 1736 wrote to memory of 2972	1736	vssms32.exe	89
PID 1736 wrote to memory of 2972	1736	vssms32.exe	89
PID 1736 wrote to memory of 2972	1736	vssms32.exe	89
PID 2972 wrote to memory of 2656	2972	vssms32.exe	90
PID 2972 wrote to memory of 2656	2972	vssms32.exe	90
PID 2972 wrote to memory of 2656	2972	vssms32.exe	90
PID 2656 wrote to memory of 1388	2656	vssms32.exe	91
PID 2656 wrote to memory of 1388	2656	vssms32.exe	91
PID 2656 wrote to memory of 1388	2656	vssms32.exe	91
PID 1388 wrote to memory of 5060	1388	vssms32.exe	94
PID 1388 wrote to memory of 5060	1388	vssms32.exe	94
PID 1388 wrote to memory of 5060	1388	vssms32.exe	94
PID 5060 wrote to memory of 1880	5060	vssms32.exe	95
PID 5060 wrote to memory of 1880	5060	vssms32.exe	95
PID 5060 wrote to memory of 1880	5060	vssms32.exe	95
PID 1880 wrote to memory of 1464	1880	vssms32.exe	98
PID 1880 wrote to memory of 1464	1880	vssms32.exe	98
PID 1880 wrote to memory of 1464	1880	vssms32.exe	98
PID 1464 wrote to memory of 452	1464	vssms32.exe	99
PID 1464 wrote to memory of 452	1464	vssms32.exe	99
PID 1464 wrote to memory of 452	1464	vssms32.exe	99
PID 452 wrote to memory of 228	452	vssms32.exe	100
PID 452 wrote to memory of 228	452	vssms32.exe	100
PID 452 wrote to memory of 228	452	vssms32.exe	100
PID 228 wrote to memory of 4688	228	vssms32.exe	101
PID 228 wrote to memory of 4688	228	vssms32.exe	101
PID 228 wrote to memory of 4688	228	vssms32.exe	101
PID 4688 wrote to memory of 4064	4688	vssms32.exe	102
PID 4688 wrote to memory of 4064	4688	vssms32.exe	102
PID 4688 wrote to memory of 4064	4688	vssms32.exe	102
PID 4064 wrote to memory of 4680	4064	vssms32.exe	103
PID 4064 wrote to memory of 4680	4064	vssms32.exe	103
PID 4064 wrote to memory of 4680	4064	vssms32.exe	103
PID 4680 wrote to memory of 4352	4680	vssms32.exe	123
PID 4680 wrote to memory of 4352	4680	vssms32.exe	123
PID 4680 wrote to memory of 4352	4680	vssms32.exe	123
PID 4352 wrote to memory of 1080	4352	vssms32.exe	106
PID 4352 wrote to memory of 1080	4352	vssms32.exe	106
PID 4352 wrote to memory of 1080	4352	vssms32.exe	106
PID 1080 wrote to memory of 2308	1080	vssms32.exe	107
PID 1080 wrote to memory of 2308	1080	vssms32.exe	107
PID 1080 wrote to memory of 2308	1080	vssms32.exe	107
PID 2308 wrote to memory of 2336	2308	vssms32.exe	108
PID 2308 wrote to memory of 2336	2308	vssms32.exe	108
PID 2308 wrote to memory of 2336	2308	vssms32.exe	108
PID 2336 wrote to memory of 1764	2336	vssms32.exe	109
PID 2336 wrote to memory of 1764	2336	vssms32.exe	109
PID 2336 wrote to memory of 1764	2336	vssms32.exe	109
PID 1764 wrote to memory of 5016	1764	vssms32.exe	110
PID 1764 wrote to memory of 5016	1764	vssms32.exe	110
PID 1764 wrote to memory of 5016	1764	vssms32.exe	110
PID 5016 wrote to memory of 652	5016	vssms32.exe	113
PID 5016 wrote to memory of 652	5016	vssms32.exe	113
PID 5016 wrote to memory of 652	5016	vssms32.exe	113
PID 652 wrote to memory of 708	652	vssms32.exe	114
PID 652 wrote to memory of 708	652	vssms32.exe	114
PID 652 wrote to memory of 708	652	vssms32.exe	114
PID 708 wrote to memory of 4716	708	vssms32.exe	115

C:\Users\Admin\AppData\Local\Temp\87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87ea68c14a0af1ec0daa761af999f0c7_JaffaCakes118.exe"
1⤵
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\SysWOW64\vssms32.exe
  "C:\Windows\system32\vssms32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\vssms32.exe
    "C:\Windows\system32\vssms32.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\vssms32.exe
      "C:\Windows\system32\vssms32.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4748
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        66⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        67⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        68⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        69⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        71⤵
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        72⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        73⤵
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        74⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        76⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        77⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        78⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        79⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        80⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        82⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        83⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        84⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        86⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        87⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        88⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        89⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        90⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        91⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        92⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        93⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        94⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        95⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        97⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        98⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        99⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        100⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        101⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        102⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        103⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        104⤵
        
        PID:648
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        105⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        106⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        107⤵
        
        PID:452
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        108⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        109⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        110⤵
        
        PID:832
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        111⤵
        
        PID:732
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        112⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        113⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        114⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        115⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        116⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        117⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        118⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        119⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        120⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        121⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        122⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        123⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        124⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        125⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        126⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        127⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        128⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        129⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        130⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        131⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        132⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        133⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        134⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        135⤵
        
        PID:216
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        136⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        137⤵
        
        PID:864
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        138⤵
        
        PID:732
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        139⤵
        
        PID:544
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        140⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        141⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        142⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        143⤵
        
        PID:836
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        144⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        145⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        146⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        147⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        148⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        149⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        150⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        151⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        152⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        153⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        154⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        155⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        156⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        157⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        158⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        159⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        160⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        161⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        162⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        163⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        164⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        165⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        166⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        167⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        168⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        169⤵
        
        PID:64
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        170⤵
        
        PID:928
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        171⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        172⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        173⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        174⤵
        
        PID:772
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        175⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        176⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        177⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        178⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        179⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        180⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        181⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        182⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        183⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        184⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        185⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        186⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        187⤵
        
        PID:488
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        188⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        189⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        190⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        191⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        192⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        193⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        194⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        195⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        196⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        197⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        198⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        199⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        200⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        201⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        202⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        203⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        204⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        205⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        206⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        207⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        208⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        209⤵
        
        PID:864
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        210⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        211⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        212⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        213⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        214⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        215⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        216⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        217⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        218⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        219⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        220⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        221⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        222⤵
        
        PID:8
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        223⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        224⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        225⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        226⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        227⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        228⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        229⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        230⤵
        
        PID:5044

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1288

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vssms32.exe

Filesize
307KB

MD5
87ea68c14a0af1ec0daa761af999f0c7

SHA1
13b7b30e65d8e068da1a620434c7881698cd3e63

SHA256
c17b0155835f3d7341bb4a1adbeb9a2e0f734bcad1a7b5ce4a561431f7b81826

SHA512
24e4eb7bac6dba582da3c4281d69b8576ace95df6862267355575ba43bb83560371c9a1a0bbd204be60664f7b7d741df362555f4118a01558b1764d073516c9c

Download Submit
memory/228-67-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/452-64-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/452-162-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/552-180-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/652-256-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/652-99-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/708-102-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/732-198-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/904-107-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1000-234-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1016-224-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1072-246-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1080-85-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1080-242-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1120-208-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1148-146-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1228-268-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1288-210-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1388-53-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1396-212-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1464-61-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1464-220-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1468-172-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1492-150-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1588-196-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1592-177-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1608-216-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1652-166-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1736-44-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1736-40-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1764-93-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1860-218-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1880-59-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1912-254-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1968-133-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1980-175-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2028-266-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2028-184-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2156-206-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2308-88-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2336-90-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2432-182-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2596-250-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2616-139-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2656-50-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2668-258-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2668-179-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2672-155-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2716-159-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2716-190-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2864-222-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2972-47-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3048-137-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3048-252-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3100-188-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3184-144-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3236-160-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3300-214-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3312-236-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3328-114-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3328-109-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3336-123-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3440-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3440-38-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3440-1-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/3456-192-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3636-248-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3656-260-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3664-240-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3828-228-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3928-152-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4020-157-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4064-74-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4124-202-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4168-141-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4220-164-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4220-117-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4352-130-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4352-81-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4364-127-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4364-200-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4416-167-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4476-186-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4516-204-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4568-244-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4596-111-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4676-148-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4680-78-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4688-71-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4716-105-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4716-101-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4740-262-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4748-168-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4768-230-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4780-270-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4868-35-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4868-36-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4868-42-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4876-120-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4880-153-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4888-173-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4892-238-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4928-170-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4960-264-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/5016-96-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/5060-56-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/5068-194-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/5076-232-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/5108-226-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads