modiloader | 5229fb1862d1f09f614df4ff096f36543e7dab2b533ae8f562e26cfce9ee0855

Analysis

max time kernel
74s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
Size

848KB
MD5

dd1a45c15e24e374b1ce61322b1b038a
SHA1

83e881353184e940b2f8998cbb4fd3b029e5daa6
SHA256

5229fb1862d1f09f614df4ff096f36543e7dab2b533ae8f562e26cfce9ee0855
SHA512

08d69311860e2a73e9c3286515c1ad6388c603a8a4aa5be8b7f0c4f830156af93fe538833a19ee36bcbec7d4c801ae54c458dfaf760fe1b636d8193e3e893d94
SSDEEP

12288:oLn8V3EGAJi/jtNri+lckfi+B93Fp14KODz7coEpZocuRrp7hUkjJNNEuijUDlrB:oA30gtM4c4flODz7cQ5jfWui2Ut

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 33 IoCs

resource	yara_rule
behavioral1/memory/2944-32-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2760-40-0x0000000005B20000-0x0000000005C92000-memory.dmp	modiloader_stage2
behavioral1/memory/2760-47-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/872-67-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-81-0x0000000005AB0000-0x0000000005C22000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-87-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2088-113-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2088-104-0x0000000004300000-0x0000000004472000-memory.dmp	modiloader_stage2
behavioral1/memory/2636-120-0x0000000004240000-0x00000000043B2000-memory.dmp	modiloader_stage2
behavioral1/memory/2636-126-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2168-144-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2664-169-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/1976-189-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/1796-202-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/1796-196-0x00000000042A0000-0x0000000004412000-memory.dmp	modiloader_stage2
behavioral1/memory/1036-220-0x0000000005BD0000-0x0000000005D42000-memory.dmp	modiloader_stage2
behavioral1/memory/1036-221-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/1804-239-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2848-257-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2728-272-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/576-285-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2152-303-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2568-313-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-326-0x0000000005CE0000-0x0000000005E52000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-332-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2788-342-0x00000000046B0000-0x0000000004822000-memory.dmp	modiloader_stage2
behavioral1/memory/2788-344-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/2192-363-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/1040-373-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-383-0x0000000005A20000-0x0000000005B92000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-395-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2
behavioral1/memory/1600-401-0x00000000046E0000-0x0000000004852000-memory.dmp	modiloader_stage2
behavioral1/memory/1600-406-0x0000000000400000-0x0000000000572000-memory.dmp	modiloader_stage2

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vssms32.exe

Executes dropped EXE 64 IoCs

pid	Process
2760	vssms32.exe
872	vssms32.exe
2024	vssms32.exe
2088	vssms32.exe
2636	vssms32.exe
2168	vssms32.exe
2664	vssms32.exe
1976	vssms32.exe
1796	vssms32.exe
1036	vssms32.exe
1804	vssms32.exe
2848	vssms32.exe
2728	vssms32.exe
576	vssms32.exe
2152	vssms32.exe
2568	vssms32.exe
2560	vssms32.exe
2788	vssms32.exe
2192	vssms32.exe
1040	vssms32.exe
1972	vssms32.exe
1600	vssms32.exe
1028	vssms32.exe
2444	vssms32.exe
892	vssms32.exe
2604	vssms32.exe
2572	vssms32.exe
2552	vssms32.exe
2080	vssms32.exe
3056	vssms32.exe
2304	vssms32.exe
2976	vssms32.exe
2296	vssms32.exe
2212	vssms32.exe
628	vssms32.exe
1080	vssms32.exe
2284	vssms32.exe
2540	vssms32.exe
1028	vssms32.exe
2064	vssms32.exe
2700	vssms32.exe
2704	vssms32.exe
796	vssms32.exe
2404	vssms32.exe
2676	vssms32.exe
2908	vssms32.exe
2420	vssms32.exe
2268	vssms32.exe
2276	vssms32.exe
2432	vssms32.exe
2668	vssms32.exe
956	vssms32.exe
1664	vssms32.exe
2616	vssms32.exe
2324	vssms32.exe
2864	vssms32.exe
3068	vssms32.exe
2084	vssms32.exe
776	vssms32.exe
1552	vssms32.exe
2912	vssms32.exe
2932	vssms32.exe
2204	vssms32.exe
2268	vssms32.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe

Loads dropped DLL 64 IoCs

pid	Process
2944	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
2944	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
2760	vssms32.exe
2760	vssms32.exe
872	vssms32.exe
872	vssms32.exe
2024	vssms32.exe
2024	vssms32.exe
2088	vssms32.exe
2088	vssms32.exe
2636	vssms32.exe
2636	vssms32.exe
2168	vssms32.exe
2168	vssms32.exe
2664	vssms32.exe
2664	vssms32.exe
1976	vssms32.exe
1976	vssms32.exe
1796	vssms32.exe
1796	vssms32.exe
1036	vssms32.exe
1036	vssms32.exe
1804	vssms32.exe
1804	vssms32.exe
2848	vssms32.exe
2848	vssms32.exe
2728	vssms32.exe
2728	vssms32.exe
576	vssms32.exe
576	vssms32.exe
2152	vssms32.exe
2152	vssms32.exe
2568	vssms32.exe
2568	vssms32.exe
2560	vssms32.exe
2560	vssms32.exe
2788	vssms32.exe
2788	vssms32.exe
2192	vssms32.exe
2192	vssms32.exe
1040	vssms32.exe
1040	vssms32.exe
1972	vssms32.exe
1972	vssms32.exe
1600	vssms32.exe
1600	vssms32.exe
1028	vssms32.exe
1028	vssms32.exe
2444	vssms32.exe
2444	vssms32.exe
892	vssms32.exe
892	vssms32.exe
2604	vssms32.exe
2604	vssms32.exe
2572	vssms32.exe
2572	vssms32.exe
2552	vssms32.exe
2552	vssms32.exe
2080	vssms32.exe
2080	vssms32.exe
3056	vssms32.exe
3056	vssms32.exe
2304	vssms32.exe
2304	vssms32.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2944-0-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/files/0x0033000000018650-14.dat	upx
behavioral1/memory/2944-20-0x0000000004530000-0x00000000046A2000-memory.dmp	upx
behavioral1/memory/2760-24-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2944-32-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2760-47-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/872-67-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2024-87-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2088-113-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2636-105-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2636-126-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2168-144-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2664-169-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/1976-189-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/1796-181-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/1796-202-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/1036-220-0x0000000005BD0000-0x0000000005D42000-memory.dmp	upx
behavioral1/memory/1036-221-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/1804-239-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2848-257-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2728-272-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/576-285-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2152-303-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2568-313-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2788-322-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2560-326-0x0000000005CE0000-0x0000000005E52000-memory.dmp	upx
behavioral1/memory/2560-332-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2788-344-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2192-363-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/1040-373-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/1972-374-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/1600-385-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/1972-395-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/1600-406-0x0000000000400000-0x0000000000572000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ooerHlPjgh = "IgAXB~BXtsUYpOpyZ@KUfWaZbD[CMswu"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ooerHlPjgh = "GwAXB~BXzcUYpOpyZpKUfWaZbD[CMswu"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VYTOZny]UwpAa@"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "V[tOZny]U{}KM`"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VSXNZny]`dqYy`"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\JomNNdfCoC = "AudODzmPbWT{JdOkcD{vBVM]zWfoi"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\lVckucLdnLh = "Uh_z\\\x7fFtyi\|CTUzV"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VVhNZny]@GDHT@"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\icdtwnz = "nNnvjYEkBRca\x7f`ixyRD}"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ooerHlPjgh = "XGAXB~BXeSUYpOpyZ`KUfWaZbD[CMswu"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\icdtwnz = "nNnvjYEkBRca\x7f`ixyRD}"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\JomNNdfCoC = "AudODzmPbWT{JdOkcD{vBVM]zWfoi"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VRtOZny]McYRXP"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\BdyclNfQXJt = "sBFyMecKyJZ`FlEILL\|lb@N_wcv@K]GK"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\lVckucLdnLh = "Uh_z\\\x7fFtyi\|CTUzV"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\eHsxayfzkTYku = "lMicWmzabbbO@wpe\\ogp^nHeryF"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "V[`OZny]SWV\x7fp`"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VTtNZny]^SACd@"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\icdtwnz = "nNnvjYEkBRca\x7f`ixyRD}"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\icdtwnz = "nNnvjYEkBRca\x7f`ixyRD}"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\icdtwnz = "nNnvjYEkBRca\x7f`ixyRD}"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\eHsxayfzkTYku = "lMicWmzabbbO@wpe\\ogp^nHeryF"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VYLOZny]HpMi\\p"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VYpOZny]\|iPy\|P"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\icdtwnz = "nNnvjYEkBRca\x7f`ixyRD}"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ooerHlPjgh = "]GAXB~BX`SUYpOpyZ`KUfWaZbD[CMswu"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ooerHlPjgh = "YGAXB~BXdSUYpOpyZ`KUfWaZbD[CMswu"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\BdyclNfQXJt = "sBFyMecKyJZ`FlEILL\|lb@N_wcv@K]GK"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\icdtwnz = "nNnvjYEkBRca\x7f`ixyRD}"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\BdyclNfQXJt = "sBFyMecKyJZ`FlEILL\|lb@N_wcv@K]GK"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\JomNNdfCoC = "AudODzmPbWT{JdOkcD{vBVM]zWfoi"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\eHsxayfzkTYku = "lMicWmzabbbO@wpe\\ogp^nHeryF"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\JomNNdfCoC = "AudODzmPbWT{JdOkcD{vBVM]zWfoi"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\lVckucLdnLh = "Uh_z\\\x7fFtyi\|CTUzV"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "V_LOZny]lx\\WAp"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\BdyclNfQXJt = "sBFyMecKyJZ`FlEILL\|lb@N_wcv@K]GK"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\lVckucLdnLh = "Uh_z\\\x7fFtyi\|CTUzV"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VThMZny]jOwYYp"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\eHsxayfzkTYku = "lMicWmzabbbO@wpe\\ogp^nHeryF"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VUHNZny]`bVb``"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VU\|NZny]VZPfQ`"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VPDNZny]kQCZO`"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "V_xNZny]Jho~wp"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\lVckucLdnLh = "Uh_z\\\x7fFtyi\|CTUzV"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\icdtwnz = "nNnvjYEkBRca\x7f`ixyRD}"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ooerHlPjgh = "IwAXB~BXtcUYpOpyZ@KUfWaZbD[CMswu"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\BdyclNfQXJt = "sBFyMecKyJZ`FlEILL\|lb@N_wcv@K]GK"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\BdyclNfQXJt = "sBFyMecKyJZ`FlEILL\|lb@N_wcv@K]GK"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "V[hNZny]nxUGG@"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\BdyclNfQXJt = "sBFyMecKyJZ`FlEILL\|lb@N_wcv@K]GK"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VV@NZny]Xsg}u`"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ooerHlPjgh = "]gAXB~BX`sUYpOpyZ`KUfWaZbD[CMswu"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\JomNNdfCoC = "AudODzmPbWT{JdOkcD{vBVM]zWfoi"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "V\\PNZny]BmsQnp"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ooerHlPjgh = "SgAXB~BXnsUYpOpyZ`KUfWaZbD[CMswu"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ooerHlPjgh = "DgAXB~BXysUYpOpyZpKUfWaZbD[CMswu"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\lVckucLdnLh = "Uh_z\\\x7fFtyi\|CTUzV"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "V_hOZny]cPtKs`"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "VYxOZny]~HKmmp"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\eHsxayfzkTYku = "lMicWmzabbbO@wpe\\ogp^nHeryF"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\JomNNdfCoC = "AudODzmPbWT{JdOkcD{vBVM]zWfoi"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\bpNsiWeint = "V\\@NZny]hC}E\\`"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\JomNNdfCoC = "AudODzmPbWT{JdOkcD{vBVM]zWfoi"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\icdtwnz = "nNnvjYEkBRca\x7f`ixyRD}"	vssms32.exe

NTFS ADS 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File created	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe
File opened for modification	C:\ProgramData\TEMP:CE2C623F	vssms32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2944	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2944	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
Token: 33	2760	vssms32.exe
Token: SeIncBasePriorityPrivilege	2760	vssms32.exe
Token: 33	872	vssms32.exe
Token: SeIncBasePriorityPrivilege	872	vssms32.exe
Token: 33	2024	vssms32.exe
Token: SeIncBasePriorityPrivilege	2024	vssms32.exe
Token: 33	2088	vssms32.exe
Token: SeIncBasePriorityPrivilege	2088	vssms32.exe
Token: 33	2636	vssms32.exe
Token: SeIncBasePriorityPrivilege	2636	vssms32.exe
Token: 33	2168	vssms32.exe
Token: SeIncBasePriorityPrivilege	2168	vssms32.exe
Token: 33	2664	vssms32.exe
Token: SeIncBasePriorityPrivilege	2664	vssms32.exe
Token: 33	1976	vssms32.exe
Token: SeIncBasePriorityPrivilege	1976	vssms32.exe
Token: 33	1796	vssms32.exe
Token: SeIncBasePriorityPrivilege	1796	vssms32.exe
Token: 33	1036	vssms32.exe
Token: SeIncBasePriorityPrivilege	1036	vssms32.exe
Token: 33	1804	vssms32.exe
Token: SeIncBasePriorityPrivilege	1804	vssms32.exe
Token: 33	2848	vssms32.exe
Token: SeIncBasePriorityPrivilege	2848	vssms32.exe
Token: 33	2728	vssms32.exe
Token: SeIncBasePriorityPrivilege	2728	vssms32.exe
Token: 33	576	vssms32.exe
Token: SeIncBasePriorityPrivilege	576	vssms32.exe
Token: 33	2152	vssms32.exe
Token: SeIncBasePriorityPrivilege	2152	vssms32.exe
Token: 33	2568	vssms32.exe
Token: SeIncBasePriorityPrivilege	2568	vssms32.exe
Token: 33	2560	vssms32.exe
Token: SeIncBasePriorityPrivilege	2560	vssms32.exe
Token: 33	2788	vssms32.exe
Token: SeIncBasePriorityPrivilege	2788	vssms32.exe
Token: 33	2192	vssms32.exe
Token: SeIncBasePriorityPrivilege	2192	vssms32.exe
Token: 33	1040	vssms32.exe
Token: SeIncBasePriorityPrivilege	1040	vssms32.exe
Token: 33	1972	vssms32.exe
Token: SeIncBasePriorityPrivilege	1972	vssms32.exe
Token: 33	1600	vssms32.exe
Token: SeIncBasePriorityPrivilege	1600	vssms32.exe
Token: 33	1028	vssms32.exe
Token: SeIncBasePriorityPrivilege	1028	vssms32.exe
Token: 33	2444	vssms32.exe
Token: SeIncBasePriorityPrivilege	2444	vssms32.exe
Token: 33	892	vssms32.exe
Token: SeIncBasePriorityPrivilege	892	vssms32.exe
Token: 33	2604	vssms32.exe
Token: SeIncBasePriorityPrivilege	2604	vssms32.exe
Token: 33	2572	vssms32.exe
Token: SeIncBasePriorityPrivilege	2572	vssms32.exe
Token: 33	2552	vssms32.exe
Token: SeIncBasePriorityPrivilege	2552	vssms32.exe
Token: 33	2080	vssms32.exe
Token: SeIncBasePriorityPrivilege	2080	vssms32.exe
Token: 33	3056	vssms32.exe
Token: SeIncBasePriorityPrivilege	3056	vssms32.exe
Token: 33	2304	vssms32.exe
Token: SeIncBasePriorityPrivilege	2304	vssms32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2760	2944	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 2760	2944	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 2760	2944	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 2760	2944	dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe	30
PID 2760 wrote to memory of 872	2760	vssms32.exe	31
PID 2760 wrote to memory of 872	2760	vssms32.exe	31
PID 2760 wrote to memory of 872	2760	vssms32.exe	31
PID 2760 wrote to memory of 872	2760	vssms32.exe	31
PID 872 wrote to memory of 2024	872	vssms32.exe	32
PID 872 wrote to memory of 2024	872	vssms32.exe	32
PID 872 wrote to memory of 2024	872	vssms32.exe	32
PID 872 wrote to memory of 2024	872	vssms32.exe	32
PID 2024 wrote to memory of 2088	2024	vssms32.exe	33
PID 2024 wrote to memory of 2088	2024	vssms32.exe	33
PID 2024 wrote to memory of 2088	2024	vssms32.exe	33
PID 2024 wrote to memory of 2088	2024	vssms32.exe	33
PID 2088 wrote to memory of 2636	2088	vssms32.exe	34
PID 2088 wrote to memory of 2636	2088	vssms32.exe	34
PID 2088 wrote to memory of 2636	2088	vssms32.exe	34
PID 2088 wrote to memory of 2636	2088	vssms32.exe	34
PID 2636 wrote to memory of 2168	2636	vssms32.exe	35
PID 2636 wrote to memory of 2168	2636	vssms32.exe	35
PID 2636 wrote to memory of 2168	2636	vssms32.exe	35
PID 2636 wrote to memory of 2168	2636	vssms32.exe	35
PID 2168 wrote to memory of 2664	2168	vssms32.exe	36
PID 2168 wrote to memory of 2664	2168	vssms32.exe	36
PID 2168 wrote to memory of 2664	2168	vssms32.exe	36
PID 2168 wrote to memory of 2664	2168	vssms32.exe	36
PID 2664 wrote to memory of 1976	2664	vssms32.exe	37
PID 2664 wrote to memory of 1976	2664	vssms32.exe	37
PID 2664 wrote to memory of 1976	2664	vssms32.exe	37
PID 2664 wrote to memory of 1976	2664	vssms32.exe	37
PID 1976 wrote to memory of 1796	1976	vssms32.exe	38
PID 1976 wrote to memory of 1796	1976	vssms32.exe	38
PID 1976 wrote to memory of 1796	1976	vssms32.exe	38
PID 1976 wrote to memory of 1796	1976	vssms32.exe	38
PID 1796 wrote to memory of 1036	1796	vssms32.exe	39
PID 1796 wrote to memory of 1036	1796	vssms32.exe	39
PID 1796 wrote to memory of 1036	1796	vssms32.exe	39
PID 1796 wrote to memory of 1036	1796	vssms32.exe	39
PID 1036 wrote to memory of 1804	1036	vssms32.exe	40
PID 1036 wrote to memory of 1804	1036	vssms32.exe	40
PID 1036 wrote to memory of 1804	1036	vssms32.exe	40
PID 1036 wrote to memory of 1804	1036	vssms32.exe	40
PID 1804 wrote to memory of 2848	1804	vssms32.exe	41
PID 1804 wrote to memory of 2848	1804	vssms32.exe	41
PID 1804 wrote to memory of 2848	1804	vssms32.exe	41
PID 1804 wrote to memory of 2848	1804	vssms32.exe	41
PID 2848 wrote to memory of 2728	2848	vssms32.exe	42
PID 2848 wrote to memory of 2728	2848	vssms32.exe	42
PID 2848 wrote to memory of 2728	2848	vssms32.exe	42
PID 2848 wrote to memory of 2728	2848	vssms32.exe	42
PID 2728 wrote to memory of 576	2728	vssms32.exe	43
PID 2728 wrote to memory of 576	2728	vssms32.exe	43
PID 2728 wrote to memory of 576	2728	vssms32.exe	43
PID 2728 wrote to memory of 576	2728	vssms32.exe	43
PID 576 wrote to memory of 2152	576	vssms32.exe	44
PID 576 wrote to memory of 2152	576	vssms32.exe	44
PID 576 wrote to memory of 2152	576	vssms32.exe	44
PID 576 wrote to memory of 2152	576	vssms32.exe	44
PID 2152 wrote to memory of 2568	2152	vssms32.exe	45
PID 2152 wrote to memory of 2568	2152	vssms32.exe	45
PID 2152 wrote to memory of 2568	2152	vssms32.exe	45
PID 2152 wrote to memory of 2568	2152	vssms32.exe	45

C:\Users\Admin\AppData\Local\Temp\dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe"
1⤵
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\vssms32.exe
  "C:\Windows\system32\vssms32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\vssms32.exe
    "C:\Windows\system32\vssms32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\SysWOW64\vssms32.exe
      "C:\Windows\system32\vssms32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        14⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        15⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        17⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        20⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        22⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        23⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        26⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        27⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        29⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        30⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        32⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        33⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        34⤵
        Checks BIOS information in registry
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2212
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        37⤵
        Checks BIOS information in registry
        Executes dropped EXE
        NTFS ADS
        
        PID:1080
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        38⤵
        Checks BIOS information in registry
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        39⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        
        PID:2540
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        NTFS ADS
        
        PID:2064
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        42⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2700
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        NTFS ADS
        
        PID:2704
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2404
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        46⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        47⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        48⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        49⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2432
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        52⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        
        PID:2668
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        
        PID:2616
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2324
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        58⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        
        PID:3068
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2084
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        60⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        
        PID:776
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        61⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        63⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        
        PID:2204
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        66⤵
        Checks BIOS information in registry
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:1732
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        67⤵
        Checks BIOS information in registry
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        
        PID:2652
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        68⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        69⤵
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        
        PID:2380
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        71⤵
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        72⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        73⤵
        Checks BIOS information in registry
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        74⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2760
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        75⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2412
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        
        PID:3020
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        77⤵
        Checks BIOS information in registry
        
        PID:3032
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        78⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        79⤵
        Checks BIOS information in registry
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        80⤵
        Adds Run key to start application
        
        PID:2144
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        82⤵
        Checks BIOS information in registry
        Adds Run key to start application
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        83⤵
        Checks BIOS information in registry
        Modifies registry class
        NTFS ADS
        
        PID:1332
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        84⤵
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        85⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        86⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        87⤵
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        88⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        
        PID:1084
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        89⤵
        Checks BIOS information in registry
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        91⤵
        Adds Run key to start application
        Modifies registry class
        NTFS ADS
        
        PID:2424
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        93⤵
        Checks BIOS information in registry
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        94⤵
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        96⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        
        PID:2264
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        97⤵
        Checks BIOS information in registry
        Adds Run key to start application
        Modifies registry class
        NTFS ADS
        
        PID:984
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        98⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2292
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        101⤵
        Checks BIOS information in registry
        Modifies registry class
        NTFS ADS
        
        PID:688
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        102⤵
        Adds Run key to start application
        
        PID:2512
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        103⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        104⤵
        Adds Run key to start application
        Drops file in System32 directory
        NTFS ADS
        
        PID:1004
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        105⤵
        Checks BIOS information in registry
        Adds Run key to start application
        NTFS ADS
        
        PID:836
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        106⤵
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        108⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        109⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        110⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        NTFS ADS
        
        PID:2136
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        112⤵
        Adds Run key to start application
        NTFS ADS
        
        PID:372
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        113⤵
        Checks BIOS information in registry
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2484
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        114⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        NTFS ADS
        
        PID:1660
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        115⤵
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        
        PID:1248
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        116⤵
        Checks BIOS information in registry
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        117⤵
        Checks BIOS information in registry
        
        PID:2532
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        118⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        119⤵
        Checks BIOS information in registry
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        120⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        NTFS ADS
        
        PID:2336
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        121⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2944
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        122⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        123⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        124⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        125⤵
        Checks BIOS information in registry
        Adds Run key to start application
        NTFS ADS
        
        PID:812
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        126⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        127⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:1964
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        128⤵
        Checks BIOS information in registry
        Adds Run key to start application
        Modifies registry class
        NTFS ADS
        
        PID:300
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        129⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        
        PID:1284
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        130⤵
        Adds Run key to start application
        Drops file in System32 directory
        NTFS ADS
        
        PID:1660
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        131⤵
        Checks BIOS information in registry
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        
        PID:2320
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        132⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        133⤵
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:1368
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        134⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:592
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        135⤵
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        136⤵
        NTFS ADS
        
        PID:2916
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        137⤵
        Checks BIOS information in registry
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        
        PID:2152
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        138⤵
        NTFS ADS
        
        PID:3044
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        139⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        140⤵
        Checks BIOS information in registry
        Adds Run key to start application
        
        PID:2296
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        141⤵
        
        PID:628
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        142⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        143⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        144⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        145⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        146⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        147⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        148⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        149⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        150⤵
        
        PID:764
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        151⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        152⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        153⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        154⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        155⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        156⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        157⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        158⤵
        
        PID:608
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        159⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        160⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        161⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        162⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        163⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        164⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        165⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        166⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        167⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        168⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        169⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        170⤵
        
        PID:872
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        171⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        172⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        173⤵
        
        PID:108
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        174⤵
        
        PID:568
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        175⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        176⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        177⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        178⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        179⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        180⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        181⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        182⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        183⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        184⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        185⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        186⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        187⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        188⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        189⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        190⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        191⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        192⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        193⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        194⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        195⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        196⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        197⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        198⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        199⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        200⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        201⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        202⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        203⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        204⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        205⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        206⤵
        
        PID:952
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        207⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        208⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        209⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        210⤵
        
        PID:612
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        211⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        212⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        213⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        214⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        215⤵
        
        PID:808
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        216⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        217⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        218⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        219⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        220⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        221⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        222⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        223⤵
        
        PID:952
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        224⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        225⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        226⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        227⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        228⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        229⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        230⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        231⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        232⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        233⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        234⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        235⤵
        
        PID:768
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        236⤵
        
        PID:860
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        237⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        238⤵
        
        PID:888
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        239⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        240⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        241⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        242⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        243⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        244⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        245⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        246⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        247⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        248⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        249⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        250⤵
        
        PID:324
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        251⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        252⤵
        
        PID:440
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        253⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        254⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        255⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        256⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        257⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        258⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        259⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        260⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        261⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        262⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        263⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        264⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        265⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        266⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        267⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        268⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        269⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        270⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        271⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        272⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        273⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        274⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        275⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        276⤵
        
        PID:612
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        277⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        278⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        279⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        280⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        281⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        282⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        283⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        284⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        285⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        286⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        287⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        288⤵
        
        PID:916
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        289⤵
        
        PID:564
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        290⤵
        
        PID:300
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        291⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        292⤵
        
        PID:560
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        293⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        294⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        295⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        296⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        297⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        298⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        299⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        300⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        301⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        302⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        303⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        304⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        305⤵
        
        PID:608
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        306⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        307⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        308⤵
        
        PID:892
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        309⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        310⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        311⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        312⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        313⤵
        
        PID:668
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        314⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        315⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        316⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        317⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        318⤵
        
        PID:880
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        319⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        320⤵
        
        PID:372
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        321⤵
        
        PID:440
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        322⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        323⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        324⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        325⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        326⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        327⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        328⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        329⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        330⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        331⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        332⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        333⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        334⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        335⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        336⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        337⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        338⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        339⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        340⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        341⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        342⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        343⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        344⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        345⤵
        
        PID:592
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        346⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        347⤵
        
        PID:572
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        348⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        349⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        350⤵
        
        PID:832
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        351⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        352⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        353⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        354⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        355⤵
        
        PID:108
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        356⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        357⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        358⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        359⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        360⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        361⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        362⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        363⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        364⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        365⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        366⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        367⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        368⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        369⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        370⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        371⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        372⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        373⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        374⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        375⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        376⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        377⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        378⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        379⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        380⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        381⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        382⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        383⤵
        
        PID:668
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        384⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        385⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        386⤵
        
        PID:928
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        387⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        388⤵
        
        PID:768
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        389⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        390⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        391⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        392⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        393⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        394⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        395⤵
        
        PID:936
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        396⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        397⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        398⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        399⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        400⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        401⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        402⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        403⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        404⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        405⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        406⤵
        
        PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
90131184d5a84b19a087f96f743366d2

SHA1
ba8651d81a048c6945d599c7e494efc3a3675ac6

SHA256
80dee94b080badbfd7a6176568ffce31cfeb0bc1f06351deaafefc665e04bda0

SHA512
ba8b67cc9c1459fd82b7ae882e27009726b6a97829b0177eaf44515e72addcbf54b1f697402d3d001e0dc042d698cc2c4af575cfe01ee5d30ffb00204da53e51

Download Submit
C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
4104a2c922b681728e15eb1ae1bd1469

SHA1
e4974f769b6e569f20030263d6e9875e1d36fe97

SHA256
d4763c9412e05d5ab70772e1fc2ee966992f24041a86a07d4099e7645e4e78f9

SHA512
bd2fc971450da9f065a3fd5de64652c37f2e1837cc99618292916ceb45805da2d31a538e763e36a5fc8159bdad30d2a38c10ebca57dfdf328602fac7cbe3d555

Download Submit
C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
b7d69337d15e95cb914afbc8f6d3d0a2

SHA1
5490c264454af972a7d52c5ade1f371968d74fa8

SHA256
e624c86ca40dddc90f39e5e87dbf3045f7083669d164b5340d48f5bced790309

SHA512
12133fff4a683ff917bc2c00cb23ff721b4c400349cede81b7a96590cda3846b246af12a4befd2e279940cd77ac1b7d8f5655740a54a20217d39b92ac9ce61ad

Download Submit
C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
47fac959d9d1cff29b71ff0445ce0a10

SHA1
e60f35bc1e9d00243ba747232dbcc33150a4a217

SHA256
f47b4d73215d6fdca85f4ff2a5aa7f75c06fffff54ff1d64ca6f54a5d832cc4f

SHA512
b9a4a24a3b0ab0289f3b0a3562500deb149ac349b02534b508b36d50e1641ca7632c381cedcd9db0e5f86fe6f8ebd44b17bf6417d1b17759c596dcedaff88d89

Download Submit
C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
04bb2725dd0409926876c23347b7adfd

SHA1
266bb51cc8ffaa23a611e6a9f94410a33a5aab97

SHA256
35beab5b99ba27c30d10e429a9452610608781f3f1d29532a6a7ae1818d1773e

SHA512
d89a35bc89f25e81be168052f86ee2d2ced8ef89f33926b557cf4974e3353d397ea32f61c4642541b1f74cebee09eb70bf0357077bd40f9b272a223d8a25ef84

Download Submit
C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
810fe52c8c7eae7c402d4b40a1e2adc1

SHA1
ce546b2916d34339af3c9193dfce0f24ae9ff9d3

SHA256
66cfd955cbabf0468a8553aabe860f69401196b83666c53582d14b5666dd8573

SHA512
96bc722b809542aced9cc4a7e2b634f6eb9b03e572453221426c1b872ba572f269d83a3f8b892219d5bc05147318b6df7bbfc95b371ca6ca1b24bef84e65b49e

Download Submit
C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
7b5c8675ec1c4b339641268a8cb5dfb6

SHA1
10a9e45582a37778c68b664def37da06e4d5a4ac

SHA256
1ff398a06bb0bd8c41d143e1ce313e7b056c306558e89b2ed925d09af9315d32

SHA512
5446a7bca0bb6327bfe77bba357dfb3b02472612bbb905e74c5eb3b067608b7620f433c2deda0896e42252f3c849df26e93ed2f8926f2094c640b1a5ba0b111b

Download Submit
C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
824867497adf4e65458734de895d5f6a

SHA1
c3b937f012383b6b508a41ad4d0bb8369de7af07

SHA256
d2d3bb82365f6007e8fd33ef924ec3aa7e5a951dbf08a7139bb9b308d21584f3

SHA512
e18231dd1b9b2b79b249c9b547b3d446eadadf102bfe2c7098754c605395e7eeb6fcb1ca51b9795c8d300d0275fad3def111b05951be08388bbaaf90f5cc93f5

Download Submit
C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
60250abfc238f1df0a7e1306a6222aef

SHA1
c25e0f71d1619e64020d68154405bfd7cca1a1e1

SHA256
29bd5c793a6cf72814f3c9f0058bbcab30d9381a869827fc5d2128d87b46fd73

SHA512
2a6deb8be6c3c07e62468312e7fd91857498b77961d80e720332ca24646d4b847ce302e11946d89125a717d1b19a3ab3cf8bd1112d4bd9473ec20907fe5d1456

Download Submit
C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
f80917643f4844b2f2bbeecf0dbc9d56

SHA1
013d82ba10366f456b762afd22fe8e0c01f1cae9

SHA256
0dc2b7c64c6810edaa9e5edd522d6f9b19bd3b447ef839268a93bb6a2feca00d

SHA512
df927710729ec48237fd94764cffbb6f815c5ee4de02fea756ffcfd6f309b1da9a524a3acce7bb9781bc03a5f45f04813ba0841cc3281c493e037801284055dc

Download Submit
C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
18b9f6fc2ad38ed0498f6aa14576135c

SHA1
7ebcd5f30a667cebecbbf4e8663ecef29e64c0df

SHA256
3530a745f2ceade7ef4b4f3bcab50eea5a1a7b24b254d025f0d24db17b853c12

SHA512
20091cf6613d2061f4904a75fd42721d10dd68da4f2703c03416194efe1d9c78725a609282b80c0fdfa0995fb4a166269fe79169f2a0910e9232b435f78d6e41

Download Submit
C:\ProgramData\TEMP:CE2C623F

Filesize
126B

MD5
e032abee2b696e719e88f98164be6291

SHA1
d61f237a6675004a05d62f986377597b4400c2ec

SHA256
469b874855d4303626ddd18520bddcf3e6e059cc4520e9b472699d81e8471e5c

SHA512
456c2c3d247586fb2222375cc73c4af0a5d5c1324cc2baff1c7315092d7a385b561eb1778c3e9cd4375f5eb1dd2be287a5d50dccee549e344a7f7478a636b27b

Download Submit
\Windows\SysWOW64\vssms32.exe

Filesize
848KB

MD5
dd1a45c15e24e374b1ce61322b1b038a

SHA1
83e881353184e940b2f8998cbb4fd3b029e5daa6

SHA256
5229fb1862d1f09f614df4ff096f36543e7dab2b533ae8f562e26cfce9ee0855

SHA512
08d69311860e2a73e9c3286515c1ad6388c603a8a4aa5be8b7f0c4f830156af93fe538833a19ee36bcbec7d4c801ae54c458dfaf760fe1b636d8193e3e893d94

Download Submit
memory/576-285-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/872-49-0x0000000001CA0000-0x0000000001CF6000-memory.dmp

Filesize
344KB

Download
memory/872-57-0x0000000001CA0000-0x0000000001CF6000-memory.dmp

Filesize
344KB

Download
memory/872-66-0x00000000046E0000-0x0000000004852000-memory.dmp

Filesize
1.4MB

Download
memory/872-67-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/872-58-0x0000000001CA0000-0x0000000001CF6000-memory.dmp

Filesize
344KB

Download
memory/872-64-0x0000000001CA0000-0x0000000001CF6000-memory.dmp

Filesize
344KB

Download
memory/1036-221-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/1036-220-0x0000000005BD0000-0x0000000005D42000-memory.dmp

Filesize
1.4MB

Download
memory/1040-373-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/1600-385-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/1600-401-0x00000000046E0000-0x0000000004852000-memory.dmp

Filesize
1.4MB

Download
memory/1600-406-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/1796-202-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/1796-196-0x00000000042A0000-0x0000000004412000-memory.dmp

Filesize
1.4MB

Download
memory/1796-181-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/1804-239-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/1972-384-0x0000000005A20000-0x0000000005B92000-memory.dmp

Filesize
1.4MB

Download
memory/1972-395-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/1972-374-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/1972-383-0x0000000005A20000-0x0000000005B92000-memory.dmp

Filesize
1.4MB

Download
memory/1976-189-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2024-69-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2024-84-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2024-81-0x0000000005AB0000-0x0000000005C22000-memory.dmp

Filesize
1.4MB

Download
memory/2024-79-0x0000000005AB0000-0x0000000005C22000-memory.dmp

Filesize
1.4MB

Download
memory/2024-87-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2024-77-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2088-104-0x0000000004300000-0x0000000004472000-memory.dmp

Filesize
1.4MB

Download
memory/2088-106-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2088-113-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2088-97-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2088-96-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2152-303-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2168-142-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2168-135-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2168-136-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2168-144-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2192-353-0x0000000005C00000-0x0000000005D72000-memory.dmp

Filesize
1.4MB

Download
memory/2192-363-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2560-332-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2560-326-0x0000000005CE0000-0x0000000005E52000-memory.dmp

Filesize
1.4MB

Download
memory/2568-313-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2636-120-0x0000000004240000-0x00000000043B2000-memory.dmp

Filesize
1.4MB

Download
memory/2636-105-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2636-117-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2636-124-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2636-126-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2664-169-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2728-272-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2760-24-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2760-46-0x0000000000690000-0x00000000006E6000-memory.dmp

Filesize
344KB

Download
memory/2760-48-0x0000000000690000-0x00000000006E6000-memory.dmp

Filesize
344KB

Download
memory/2760-37-0x0000000000690000-0x00000000006E6000-memory.dmp

Filesize
344KB

Download
memory/2760-47-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2760-31-0x0000000000690000-0x00000000006E6000-memory.dmp

Filesize
344KB

Download
memory/2760-38-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2760-40-0x0000000005B20000-0x0000000005C92000-memory.dmp

Filesize
1.4MB

Download
memory/2760-42-0x0000000005B20000-0x0000000005C92000-memory.dmp

Filesize
1.4MB

Download
memory/2788-342-0x00000000046B0000-0x0000000004822000-memory.dmp

Filesize
1.4MB

Download
memory/2788-322-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2788-344-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2848-257-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2944-23-0x0000000004530000-0x00000000046A2000-memory.dmp

Filesize
1.4MB

Download
memory/2944-11-0x0000000000310000-0x0000000000366000-memory.dmp

Filesize
344KB

Download
memory/2944-32-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2944-12-0x0000000000310000-0x0000000000366000-memory.dmp

Filesize
344KB

Download
memory/2944-8-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2944-21-0x0000000000310000-0x0000000000366000-memory.dmp

Filesize
344KB

Download
memory/2944-33-0x0000000000310000-0x0000000000366000-memory.dmp

Filesize
344KB

Download
memory/2944-7-0x0000000000310000-0x0000000000366000-memory.dmp

Filesize
344KB

Download
memory/2944-20-0x0000000004530000-0x00000000046A2000-memory.dmp

Filesize
1.4MB

Download
memory/2944-0-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2944-1-0x0000000000310000-0x0000000000366000-memory.dmp

Filesize
344KB

Download
memory/2944-6-0x0000000000310000-0x0000000000366000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads