modiloader | f43c9095f482f80118fdbcded5e96e1367e1415dba13822d092366c3b02d3260

Analysis

max time kernel
61s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe
Size

5.8MB
MD5

921b0f0750b736d3b0d63d1afaccd765
SHA1

e78d7df693b5b5ad92f57d1fe33a4491140c2ba4
SHA256

f43c9095f482f80118fdbcded5e96e1367e1415dba13822d092366c3b02d3260
SHA512

9afe8e759e9ea7068a6101adcb51896e6abaac2ead4328e26810c79087b0effae587b443bc879b92f958c2cf9502f1c36e651b1141fbe8e377bbd979082703cf
SSDEEP

12288:TLn8V3EGAJi/FSCQ6vI5+RUm82fR50vwVc71ap+gbC:TA30GSCQ6vc+k2fTaccl

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 64 IoCs

resource	yara_rule
behavioral2/memory/2072-60-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4212-62-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/2824-64-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4212-67-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/2428-70-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4784-73-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3228-77-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4584-80-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1772-83-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3200-85-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4284-89-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1832-91-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4520-93-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1832-96-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3188-99-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3968-101-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1184-105-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/392-108-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3116-111-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1840-114-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3888-116-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3360-119-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3600-122-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1704-125-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/2644-128-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3944-131-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3228-135-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3032-137-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4168-139-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1748-141-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3032-143-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3940-145-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1748-147-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3940-149-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/2464-153-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1596-156-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3188-158-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4148-161-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/2300-163-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/860-165-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/5108-167-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3136-169-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1440-171-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/316-173-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/808-175-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/60-177-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3240-179-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1248-181-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/2284-183-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4784-185-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4796-187-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1908-188-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-189-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4584-191-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4512-193-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/2368-195-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4352-197-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1804-199-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3244-201-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3220-202-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/1528-204-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/3732-206-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4488-208-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4448-210-0x0000000000400000-0x00000000004C5000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Program.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vssms32.exe

Executes dropped EXE 64 IoCs

pid	Process
2072	Program.EXE
780	Program1.EXE
2824	vssms32.exe
4212	vssms32.exe
2428	vssms32.exe
4784	vssms32.exe
3228	vssms32.exe
4584	vssms32.exe
1772	vssms32.exe
3200	vssms32.exe
4284	vssms32.exe
4520	vssms32.exe
1832	vssms32.exe
3188	vssms32.exe
3968	vssms32.exe
1184	vssms32.exe
392	vssms32.exe
3116	vssms32.exe
1840	vssms32.exe
3888	vssms32.exe
3360	vssms32.exe
3600	vssms32.exe
1704	vssms32.exe
2644	vssms32.exe
3944	vssms32.exe
3228	vssms32.exe
4168	vssms32.exe
3032	vssms32.exe
1748	vssms32.exe
3940	vssms32.exe
2464	vssms32.exe
1596	vssms32.exe
3188	vssms32.exe
4148	vssms32.exe
2300	vssms32.exe
860	vssms32.exe
5108	vssms32.exe
3136	vssms32.exe
1440	vssms32.exe
316	vssms32.exe
808	vssms32.exe
60	vssms32.exe
3240	vssms32.exe
1248	vssms32.exe
2284	vssms32.exe
4784	vssms32.exe
4796	vssms32.exe
1908	vssms32.exe
4516	vssms32.exe
4584	vssms32.exe
4512	vssms32.exe
2368	vssms32.exe
4352	vssms32.exe
1804	vssms32.exe
3244	vssms32.exe
3220	vssms32.exe
1528	vssms32.exe
3732	vssms32.exe
4488	vssms32.exe
4448	vssms32.exe
100	vssms32.exe
4800	vssms32.exe
3888	vssms32.exe
3360	vssms32.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Program.EXE

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	Program.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	Program.EXE
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	Program.EXE
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4928-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x000a000000023be6-5.dat	upx
behavioral2/memory/2072-12-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4928-22-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2072-60-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4212-62-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2824-64-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4212-67-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2428-70-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3228-72-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4784-73-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4584-75-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3228-77-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4584-80-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1772-83-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3200-85-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4284-89-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1832-91-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4520-93-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1832-96-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3188-99-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3968-101-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1184-105-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/392-108-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3116-111-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1840-114-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3888-116-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3360-119-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3600-122-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1704-125-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2644-128-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3944-131-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3228-135-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3032-137-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4168-139-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1748-141-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3032-143-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3940-145-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1748-147-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3940-149-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2464-153-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1596-156-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3188-158-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4148-161-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2300-163-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/860-165-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/5108-167-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3136-169-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1440-171-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/316-173-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/808-175-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/60-177-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3240-179-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1248-181-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2284-183-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4784-185-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4796-187-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1908-188-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4516-189-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4584-191-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4512-193-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2368-195-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4352-197-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/1804-199-0x0000000000400000-0x00000000004C5000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Program1.EXE	921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe
File created	C:\Windows\Program.EXE	921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Program.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Program.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
780	Program1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2072	4928	921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe	85
PID 4928 wrote to memory of 2072	4928	921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe	85
PID 4928 wrote to memory of 2072	4928	921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe	85
PID 4928 wrote to memory of 780	4928	921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe	86
PID 4928 wrote to memory of 780	4928	921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe	86
PID 4928 wrote to memory of 780	4928	921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe	86
PID 2072 wrote to memory of 2824	2072	Program.EXE	87
PID 2072 wrote to memory of 2824	2072	Program.EXE	87
PID 2072 wrote to memory of 2824	2072	Program.EXE	87
PID 2824 wrote to memory of 4212	2824	vssms32.exe	88
PID 2824 wrote to memory of 4212	2824	vssms32.exe	88
PID 2824 wrote to memory of 4212	2824	vssms32.exe	88
PID 4212 wrote to memory of 2428	4212	vssms32.exe	89
PID 4212 wrote to memory of 2428	4212	vssms32.exe	89
PID 4212 wrote to memory of 2428	4212	vssms32.exe	89
PID 2428 wrote to memory of 4784	2428	vssms32.exe	90
PID 2428 wrote to memory of 4784	2428	vssms32.exe	90
PID 2428 wrote to memory of 4784	2428	vssms32.exe	90
PID 4784 wrote to memory of 3228	4784	vssms32.exe	121
PID 4784 wrote to memory of 3228	4784	vssms32.exe	121
PID 4784 wrote to memory of 3228	4784	vssms32.exe	121
PID 3228 wrote to memory of 4584	3228	vssms32.exe	92
PID 3228 wrote to memory of 4584	3228	vssms32.exe	92
PID 3228 wrote to memory of 4584	3228	vssms32.exe	92
PID 4584 wrote to memory of 1772	4584	vssms32.exe	93
PID 4584 wrote to memory of 1772	4584	vssms32.exe	93
PID 4584 wrote to memory of 1772	4584	vssms32.exe	93
PID 1772 wrote to memory of 3200	1772	vssms32.exe	94
PID 1772 wrote to memory of 3200	1772	vssms32.exe	94
PID 1772 wrote to memory of 3200	1772	vssms32.exe	94
PID 3200 wrote to memory of 4284	3200	vssms32.exe	97
PID 3200 wrote to memory of 4284	3200	vssms32.exe	97
PID 3200 wrote to memory of 4284	3200	vssms32.exe	97
PID 4284 wrote to memory of 4520	4284	vssms32.exe	98
PID 4284 wrote to memory of 4520	4284	vssms32.exe	98
PID 4284 wrote to memory of 4520	4284	vssms32.exe	98
PID 4520 wrote to memory of 1832	4520	vssms32.exe	100
PID 4520 wrote to memory of 1832	4520	vssms32.exe	100
PID 4520 wrote to memory of 1832	4520	vssms32.exe	100
PID 1832 wrote to memory of 3188	1832	vssms32.exe	128
PID 1832 wrote to memory of 3188	1832	vssms32.exe	128
PID 1832 wrote to memory of 3188	1832	vssms32.exe	128
PID 3188 wrote to memory of 3968	3188	vssms32.exe	105
PID 3188 wrote to memory of 3968	3188	vssms32.exe	105
PID 3188 wrote to memory of 3968	3188	vssms32.exe	105
PID 3968 wrote to memory of 1184	3968	vssms32.exe	106
PID 3968 wrote to memory of 1184	3968	vssms32.exe	106
PID 3968 wrote to memory of 1184	3968	vssms32.exe	106
PID 1184 wrote to memory of 392	1184	vssms32.exe	107
PID 1184 wrote to memory of 392	1184	vssms32.exe	107
PID 1184 wrote to memory of 392	1184	vssms32.exe	107
PID 392 wrote to memory of 3116	392	vssms32.exe	108
PID 392 wrote to memory of 3116	392	vssms32.exe	108
PID 392 wrote to memory of 3116	392	vssms32.exe	108
PID 3116 wrote to memory of 1840	3116	vssms32.exe	109
PID 3116 wrote to memory of 1840	3116	vssms32.exe	109
PID 3116 wrote to memory of 1840	3116	vssms32.exe	109
PID 1840 wrote to memory of 3888	1840	vssms32.exe	161
PID 1840 wrote to memory of 3888	1840	vssms32.exe	161
PID 1840 wrote to memory of 3888	1840	vssms32.exe	161
PID 3888 wrote to memory of 3360	3888	vssms32.exe	162
PID 3888 wrote to memory of 3360	3888	vssms32.exe	162
PID 3888 wrote to memory of 3360	3888	vssms32.exe	162
PID 3360 wrote to memory of 3600	3360	vssms32.exe	163

C:\Users\Admin\AppData\Local\Temp\921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\921b0f0750b736d3b0d63d1afaccd765_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\Program.EXE
  "C:\Windows\Program.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\vssms32.exe
    "C:\Windows\system32\vssms32.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\vssms32.exe
      "C:\Windows\system32\vssms32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2464
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:100
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        65⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        66⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        68⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        69⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        70⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        72⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        73⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        75⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        76⤵
        Adds Run key to start application
        
        PID:1832
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        78⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        80⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        81⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        82⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        83⤵
        Checks computer location settings
        
        PID:4528
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        84⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        85⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        86⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        87⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        89⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        90⤵
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        91⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        94⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        95⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        96⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        97⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        98⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        99⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        100⤵
        
        PID:452
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        101⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        102⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        103⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        104⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        105⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        106⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        107⤵
        
        PID:392
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        108⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        109⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        110⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        111⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        112⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        113⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        114⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        115⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        116⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        117⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        118⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        119⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        120⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        121⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        122⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        123⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        124⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        125⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        126⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        127⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        128⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        129⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        130⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        131⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        132⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        133⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        134⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        135⤵
        
        PID:392
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        136⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        137⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        138⤵
        
        PID:808
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        139⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        140⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        141⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        142⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        143⤵
        
        PID:948
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        144⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        145⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        146⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        147⤵
        
        PID:432
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        148⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        149⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        150⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        151⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        152⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        153⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        154⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        155⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        156⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        157⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        158⤵
        
        PID:452
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        159⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        160⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        161⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        162⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        163⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        164⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        165⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        166⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        167⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        168⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        169⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        170⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        171⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        172⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        173⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        174⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        175⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        176⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        177⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        178⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        179⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        180⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        181⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        182⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        183⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        184⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        185⤵
        
        PID:116
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        186⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        187⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        188⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        189⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        190⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        191⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        192⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        193⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        194⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        195⤵
        
        PID:212
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        196⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        197⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        198⤵
        
        PID:316
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        199⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        200⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        201⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        202⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        203⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        204⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        205⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        206⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        207⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        208⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        209⤵
        
        PID:444
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        210⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        211⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        212⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        213⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        214⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        215⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        216⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        217⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        218⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        219⤵
        
        PID:788
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        220⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        221⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        222⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        223⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        224⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        225⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        226⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        227⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        228⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        229⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        230⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        231⤵
        
        PID:804
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        232⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        233⤵
        
        PID:464
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        234⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        235⤵
        
        PID:2392
- C:\Windows\Program1.EXE
  "C:\Windows\Program1.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:780

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Program.EXE

Filesize
311KB

MD5
eebc04d688a62729fad3ed089e565928

SHA1
b3142ebad3485ae8082c9af9f0aed75f4ea1c248

SHA256
05a18f7212ebe7fafe583b88baf0bb5c8b8441aaff92dd3257c2c6b1ff93ef51

SHA512
648a34b767befd6193587bf170cf0395e324cee4d302289ed288b1564e19bb7310295f84b3a1657af7f4caa85cfac4236fc6b1182ba4e5f02e6e3b66994decb2

Download Submit
C:\Windows\Program1.EXE

Filesize
5.5MB

MD5
9d88fef0ae6fa6878c2eb17200740fb1

SHA1
7964684e1c0fdf4668d24d175d4ceba14b15adf0

SHA256
6d1762e1b6b4c771e784b502bad7585a0698605be4d66a6715fbe8c25d38b7a5

SHA512
6631604547f5f3a43dc32a9b9962e918e63b26b69207bcfea7a89fb675ba975d8260682f77b61d4f6a40f5734f8f8217ea6b8df0285f151b7fd2fe9ada10e83e

Download Submit
memory/60-177-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/100-212-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/316-173-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/392-108-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/808-175-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/860-165-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1008-254-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1184-105-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1244-268-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1248-181-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1276-266-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1396-264-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1408-278-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1440-171-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1528-204-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1596-156-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1704-125-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1748-147-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1748-141-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1772-83-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1804-199-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1832-96-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1832-91-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1832-242-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1840-114-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1908-188-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1944-270-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2072-12-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2072-60-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2072-23-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2120-230-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2152-272-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2284-183-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2300-163-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2332-250-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2344-260-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2368-195-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2428-70-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2464-153-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2636-276-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2644-128-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2812-258-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2824-64-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3032-137-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3032-143-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3112-274-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3116-111-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3136-169-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3164-228-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3188-158-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3188-99-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3200-85-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3220-202-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3228-77-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3228-135-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3228-72-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3240-179-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3244-201-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3360-218-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3360-119-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3532-234-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3600-220-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3600-122-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3612-280-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3732-206-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3784-248-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3796-232-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3888-116-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3888-216-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3940-145-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3940-149-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3944-131-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3968-101-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3996-244-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4040-236-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4148-161-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4168-139-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4212-62-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4212-67-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4276-240-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4284-89-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4300-238-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4352-197-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4448-210-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4488-208-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4512-193-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4516-189-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4520-93-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4528-256-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4584-191-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4584-75-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4584-80-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4712-226-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4784-73-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4784-185-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4796-187-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4800-214-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4868-252-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4928-262-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4928-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4972-224-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4988-246-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5040-222-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5108-167-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads