Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 04:56
Behavioral task
behavioral1
Sample
dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe
-
Size
848KB
-
MD5
dd1a45c15e24e374b1ce61322b1b038a
-
SHA1
83e881353184e940b2f8998cbb4fd3b029e5daa6
-
SHA256
5229fb1862d1f09f614df4ff096f36543e7dab2b533ae8f562e26cfce9ee0855
-
SHA512
08d69311860e2a73e9c3286515c1ad6388c603a8a4aa5be8b7f0c4f830156af93fe538833a19ee36bcbec7d4c801ae54c458dfaf760fe1b636d8193e3e893d94
-
SSDEEP
12288:oLn8V3EGAJi/jtNri+lckfi+B93Fp14KODz7coEpZocuRrp7hUkjJNNEuijUDlrB:oA30gtM4c4flODz7cQ5jfWui2Ut
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 64 IoCs
resource yara_rule behavioral2/memory/4572-53-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/768-72-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4136-86-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2364-110-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1948-132-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2616-147-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/3476-165-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4412-184-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2600-205-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1540-220-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2652-239-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4520-250-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/5088-273-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/392-287-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/3912-305-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/3944-323-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4612-346-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4412-363-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/760-382-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/3324-402-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/3276-418-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2736-439-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2236-452-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4352-468-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4244-479-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1936-500-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1952-516-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4612-532-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4412-548-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2792-564-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2556-580-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2760-596-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4776-612-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4160-628-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2616-645-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2484-656-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/736-677-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1912-693-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2352-709-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/3152-725-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2604-741-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/3208-752-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2296-773-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2288-789-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1140-800-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1800-821-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2944-837-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2484-853-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/736-869-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1912-885-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2164-901-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/3552-912-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2604-933-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4912-949-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2312-961-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4268-982-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1712-993-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1800-1014-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1808-1030-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/1684-1046-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4500-1062-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2460-1078-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/4560-1094-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 behavioral2/memory/2588-1110-0x0000000000400000-0x0000000000572000-memory.dmp modiloader_stage2 -
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vssms32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vssms32.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vssms32.exe -
Executes dropped EXE 64 IoCs
pid Process 768 vssms32.exe 4136 vssms32.exe 2364 vssms32.exe 1948 vssms32.exe 2616 vssms32.exe 3476 vssms32.exe 4412 vssms32.exe 2600 vssms32.exe 1540 vssms32.exe 2652 vssms32.exe 4520 vssms32.exe 5088 vssms32.exe 392 vssms32.exe 3912 vssms32.exe 3944 vssms32.exe 4612 vssms32.exe 4412 vssms32.exe 760 vssms32.exe 3324 vssms32.exe 3276 vssms32.exe 2736 vssms32.exe 2236 vssms32.exe 4352 vssms32.exe 4244 vssms32.exe 1936 vssms32.exe 1952 vssms32.exe 4612 vssms32.exe 4412 vssms32.exe 2792 vssms32.exe 2556 vssms32.exe 2760 vssms32.exe 4776 vssms32.exe 4160 vssms32.exe 2616 vssms32.exe 2484 vssms32.exe 736 vssms32.exe 1912 vssms32.exe 2352 vssms32.exe 3152 vssms32.exe 2604 vssms32.exe 3208 vssms32.exe 2296 vssms32.exe 2288 vssms32.exe 1140 vssms32.exe 1800 vssms32.exe 2944 vssms32.exe 2484 vssms32.exe 736 vssms32.exe 1912 vssms32.exe 2164 vssms32.exe 3552 vssms32.exe 2604 vssms32.exe 4912 vssms32.exe 2312 vssms32.exe 4268 vssms32.exe 1712 vssms32.exe 1800 vssms32.exe 1808 vssms32.exe 1684 vssms32.exe 4500 vssms32.exe 2460 vssms32.exe 4560 vssms32.exe 2588 vssms32.exe 2236 vssms32.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe -
resource yara_rule behavioral2/memory/4572-0-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/files/0x000b000000023b90-13.dat upx behavioral2/memory/768-45-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4572-53-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/768-72-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4136-86-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2364-110-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/1948-132-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2616-147-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/3476-165-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4412-184-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2600-205-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/1540-220-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4520-229-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2652-239-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4520-250-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/5088-273-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/392-287-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/3912-305-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/3944-323-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4612-346-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4412-363-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/760-382-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/3324-402-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/3276-418-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2736-439-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2236-452-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4352-468-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4244-479-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/1936-500-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/1952-516-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4612-532-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4412-548-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2792-564-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2556-580-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2760-596-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4776-612-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4160-628-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2484-638-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2616-645-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2484-656-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/736-677-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/1912-693-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2352-709-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/3152-725-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2604-741-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/3208-752-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2296-773-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2288-789-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/1140-800-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/1800-821-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2944-837-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2484-853-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/736-869-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/1912-885-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2164-901-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/3552-912-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2604-933-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4912-949-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4268-959-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/2312-961-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/4268-982-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/1712-993-0x0000000000400000-0x0000000000572000-memory.dmp upx behavioral2/memory/1800-1014-0x0000000000400000-0x0000000000572000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yrbFcCL = "yi|CTUzVnNnvjYEkBRca\x7f`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\gkswmrv = "ixyRD}QGAXB~BXlSUYpOpyI`KU" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\fBomhf = "FlEILL|lb@N_wcv@K]GKV" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "PPOZny]F}Mz]p" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yrbFcCL = "yi|CTUzVnNnvjYEkBRca\x7f`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "\\hOZny]\\isiX`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yrbFcCL = "yi|CTUzVnNnvjYEkBRca\x7f`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "XHNZny]NIeyYp" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\rvfv = "FAudODzmPbWT{JdOkcD{v" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\HcNqwxtse = "BVM]zWfoiUh_z\\\x7fFt" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "R\\NZny]SDjeC`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "_lNZny]HQjhtp" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "XDOZny]KNe^a`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\rvfv = "FAudODzmPbWT{JdOkcD{v" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\gkswmrv = "ixyRD}WwAXB~BXjcUYpOpyU`KU" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yrbFcCL = "yi|CTUzVnNnvjYEkBRca\x7f`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\rvfv = "FAudODzmPbWT{JdOkcD{v" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "^POZny]LsjXS`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\HcNqwxtse = "BVM]zWfoiUh_z\\\x7fFt" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\IuruuYLee = "lMicWmzabbbO@wpe\\ogp^nHery" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "WpOZny]ViCT^`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\rvfv = "FAudODzmPbWT{JdOkcD{v" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\fBomhf = "FlEILL|lb@N_wcv@K]GKV" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\gkswmrv = "ixyRD}@wAXB~BX}cUYpOpy\\`KU" vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "SXNZny]iViOfp" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\fBomhf = "FlEILL|lb@N_wcv@K]GKV" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "\\DOZny]h_u|vP" vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ProgID dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\gkswmrv = "ixyRD}WgAXB~BXjsUYpOpyU`KU" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\HcNqwxtse = "BVM]zWfoiUh_z\\\x7fFt" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "^hOZny]EAW@h@" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "\\dNZny]yd{KRp" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\HcNqwxtse = "BVM]zWfoiUh_z\\\x7fFt" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\HcNqwxtse = "BVM]zWfoiUh_z\\\x7fFt" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\gkswmrv = "ixyRD}XGAXB~BXeSUYpOpyV`KU" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "RdOZny]HwLS\\@" vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\gkswmrv = "ixyRD}XGAXB~BXeSUYpOpyWPKU" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "XLNZny]YcP`~p" vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\gkswmrv = "ixyRD}VWAXB~BXkCUYpOpyT`KU" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "\\lNZny]xtq]oP" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "^tNZny]{A\\[vP" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "^xNZny]Ubboh`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "YLNZny][a}FJ`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "ZdNZny]x]ltwp" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\HcNqwxtse = "BVM]zWfoiUh_z\\\x7fFt" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\HcNqwxtse = "BVM]zWfoiUh_z\\\x7fFt" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\rvfv = "FAudODzmPbWT{JdOkcD{v" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "WHNZny]\x7fLEGUp" vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yrbFcCL = "yi|CTUzVnNnvjYEkBRca\x7f`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\jOBqlouo = "fWaZbD[CMswusBFyMecKyJZ`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yrbFcCL = "yi|CTUzVnNnvjYEkBRca\x7f`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "VxNZny]sf@iA`" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "W\\OZny]}VxxRP" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\gkswmrv = "ixyRD}KGAXB~BXvSUYpOpy[`KU" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "\\POZny]ns^HKP" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\rvfv = "FAudODzmPbWT{JdOkcD{v" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\fBomhf = "FlEILL|lb@N_wcv@K]GKV" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "XdNZny]Dl}QUP" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\yDCymGuhr = "UxOZny]jp@kYp" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\rvfv = "FAudODzmPbWT{JdOkcD{v" vssms32.exe -
NTFS ADS 64 IoCs
description ioc Process File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe File opened for modification C:\ProgramData\TEMP:CE2C623F vssms32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 4572 dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4572 dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe Token: 33 768 vssms32.exe Token: SeIncBasePriorityPrivilege 768 vssms32.exe Token: 33 4136 vssms32.exe Token: SeIncBasePriorityPrivilege 4136 vssms32.exe Token: 33 2364 vssms32.exe Token: SeIncBasePriorityPrivilege 2364 vssms32.exe Token: 33 1948 vssms32.exe Token: SeIncBasePriorityPrivilege 1948 vssms32.exe Token: 33 2616 vssms32.exe Token: SeIncBasePriorityPrivilege 2616 vssms32.exe Token: 33 3476 vssms32.exe Token: SeIncBasePriorityPrivilege 3476 vssms32.exe Token: 33 4412 vssms32.exe Token: SeIncBasePriorityPrivilege 4412 vssms32.exe Token: 33 2600 vssms32.exe Token: SeIncBasePriorityPrivilege 2600 vssms32.exe Token: 33 1540 vssms32.exe Token: SeIncBasePriorityPrivilege 1540 vssms32.exe Token: 33 2652 vssms32.exe Token: SeIncBasePriorityPrivilege 2652 vssms32.exe Token: 33 4520 vssms32.exe Token: SeIncBasePriorityPrivilege 4520 vssms32.exe Token: 33 5088 vssms32.exe Token: SeIncBasePriorityPrivilege 5088 vssms32.exe Token: 33 392 vssms32.exe Token: SeIncBasePriorityPrivilege 392 vssms32.exe Token: 33 3912 vssms32.exe Token: SeIncBasePriorityPrivilege 3912 vssms32.exe Token: 33 3944 vssms32.exe Token: SeIncBasePriorityPrivilege 3944 vssms32.exe Token: 33 4612 vssms32.exe Token: SeIncBasePriorityPrivilege 4612 vssms32.exe Token: 33 4412 vssms32.exe Token: SeIncBasePriorityPrivilege 4412 vssms32.exe Token: 33 760 vssms32.exe Token: SeIncBasePriorityPrivilege 760 vssms32.exe Token: 33 3324 vssms32.exe Token: SeIncBasePriorityPrivilege 3324 vssms32.exe Token: 33 3276 vssms32.exe Token: SeIncBasePriorityPrivilege 3276 vssms32.exe Token: 33 2736 vssms32.exe Token: SeIncBasePriorityPrivilege 2736 vssms32.exe Token: 33 2236 vssms32.exe Token: SeIncBasePriorityPrivilege 2236 vssms32.exe Token: 33 4352 vssms32.exe Token: SeIncBasePriorityPrivilege 4352 vssms32.exe Token: 33 4244 vssms32.exe Token: SeIncBasePriorityPrivilege 4244 vssms32.exe Token: 33 1936 vssms32.exe Token: SeIncBasePriorityPrivilege 1936 vssms32.exe Token: 33 1952 vssms32.exe Token: SeIncBasePriorityPrivilege 1952 vssms32.exe Token: 33 4612 vssms32.exe Token: SeIncBasePriorityPrivilege 4612 vssms32.exe Token: 33 4412 vssms32.exe Token: SeIncBasePriorityPrivilege 4412 vssms32.exe Token: 33 2792 vssms32.exe Token: SeIncBasePriorityPrivilege 2792 vssms32.exe Token: 33 2556 vssms32.exe Token: SeIncBasePriorityPrivilege 2556 vssms32.exe Token: 33 2760 vssms32.exe Token: SeIncBasePriorityPrivilege 2760 vssms32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4572 wrote to memory of 768 4572 dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe 85 PID 4572 wrote to memory of 768 4572 dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe 85 PID 4572 wrote to memory of 768 4572 dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe 85 PID 768 wrote to memory of 4136 768 vssms32.exe 86 PID 768 wrote to memory of 4136 768 vssms32.exe 86 PID 768 wrote to memory of 4136 768 vssms32.exe 86 PID 4136 wrote to memory of 2364 4136 vssms32.exe 87 PID 4136 wrote to memory of 2364 4136 vssms32.exe 87 PID 4136 wrote to memory of 2364 4136 vssms32.exe 87 PID 2364 wrote to memory of 1948 2364 vssms32.exe 90 PID 2364 wrote to memory of 1948 2364 vssms32.exe 90 PID 2364 wrote to memory of 1948 2364 vssms32.exe 90 PID 1948 wrote to memory of 2616 1948 vssms32.exe 93 PID 1948 wrote to memory of 2616 1948 vssms32.exe 93 PID 1948 wrote to memory of 2616 1948 vssms32.exe 93 PID 2616 wrote to memory of 3476 2616 vssms32.exe 95 PID 2616 wrote to memory of 3476 2616 vssms32.exe 95 PID 2616 wrote to memory of 3476 2616 vssms32.exe 95 PID 3476 wrote to memory of 4412 3476 vssms32.exe 96 PID 3476 wrote to memory of 4412 3476 vssms32.exe 96 PID 3476 wrote to memory of 4412 3476 vssms32.exe 96 PID 4412 wrote to memory of 2600 4412 vssms32.exe 97 PID 4412 wrote to memory of 2600 4412 vssms32.exe 97 PID 4412 wrote to memory of 2600 4412 vssms32.exe 97 PID 2600 wrote to memory of 1540 2600 vssms32.exe 100 PID 2600 wrote to memory of 1540 2600 vssms32.exe 100 PID 2600 wrote to memory of 1540 2600 vssms32.exe 100 PID 1540 wrote to memory of 2652 1540 vssms32.exe 101 PID 1540 wrote to memory of 2652 1540 vssms32.exe 101 PID 1540 wrote to memory of 2652 1540 vssms32.exe 101 PID 2652 wrote to memory of 4520 2652 vssms32.exe 103 PID 2652 wrote to memory of 4520 2652 vssms32.exe 103 PID 2652 wrote to memory of 4520 2652 vssms32.exe 103 PID 4520 wrote to memory of 5088 4520 vssms32.exe 106 PID 4520 wrote to memory of 5088 4520 vssms32.exe 106 PID 4520 wrote to memory of 5088 4520 vssms32.exe 106 PID 5088 wrote to memory of 392 5088 vssms32.exe 108 PID 5088 wrote to memory of 392 5088 vssms32.exe 108 PID 5088 wrote to memory of 392 5088 vssms32.exe 108 PID 392 wrote to memory of 3912 392 vssms32.exe 109 PID 392 wrote to memory of 3912 392 vssms32.exe 109 PID 392 wrote to memory of 3912 392 vssms32.exe 109 PID 3912 wrote to memory of 3944 3912 vssms32.exe 110 PID 3912 wrote to memory of 3944 3912 vssms32.exe 110 PID 3912 wrote to memory of 3944 3912 vssms32.exe 110 PID 3944 wrote to memory of 4612 3944 vssms32.exe 111 PID 3944 wrote to memory of 4612 3944 vssms32.exe 111 PID 3944 wrote to memory of 4612 3944 vssms32.exe 111 PID 4612 wrote to memory of 4412 4612 vssms32.exe 112 PID 4612 wrote to memory of 4412 4612 vssms32.exe 112 PID 4612 wrote to memory of 4412 4612 vssms32.exe 112 PID 4412 wrote to memory of 760 4412 vssms32.exe 113 PID 4412 wrote to memory of 760 4412 vssms32.exe 113 PID 4412 wrote to memory of 760 4412 vssms32.exe 113 PID 760 wrote to memory of 3324 760 vssms32.exe 114 PID 760 wrote to memory of 3324 760 vssms32.exe 114 PID 760 wrote to memory of 3324 760 vssms32.exe 114 PID 3324 wrote to memory of 3276 3324 vssms32.exe 115 PID 3324 wrote to memory of 3276 3324 vssms32.exe 115 PID 3324 wrote to memory of 3276 3324 vssms32.exe 115 PID 3276 wrote to memory of 2736 3276 vssms32.exe 116 PID 3276 wrote to memory of 2736 3276 vssms32.exe 116 PID 3276 wrote to memory of 2736 3276 vssms32.exe 116 PID 2736 wrote to memory of 2236 2736 vssms32.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dd1a45c15e24e374b1ce61322b1b038a_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"2⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"14⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"17⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"18⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"20⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"22⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"23⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4352 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4244 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"26⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"27⤵
- Executes dropped EXE
- Drops file in System32 directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"28⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:4412 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"30⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2792 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"31⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"32⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4776 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4160 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"35⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"36⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:2484 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:736 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"38⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:1912 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"40⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:3152 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2604 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:3208 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"43⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2296 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"44⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:2288 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"45⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- NTFS ADS
PID:1140 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"46⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- NTFS ADS
PID:1800 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"47⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
- NTFS ADS
PID:2944 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- NTFS ADS
PID:2484 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"49⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:736 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"50⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- NTFS ADS
PID:1912 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"51⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:2164 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"52⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3552 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"53⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"54⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4912 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"55⤵
- Executes dropped EXE
- NTFS ADS
PID:2312 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"56⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4268 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
- NTFS ADS
PID:1712 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"58⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"59⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"60⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"61⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4500 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"62⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- NTFS ADS
PID:2460 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"63⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"64⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"65⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"66⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
PID:2960 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"67⤵
- System Location Discovery: System Language Discovery
PID:4160 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"68⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:748 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"69⤵
- NTFS ADS
PID:940 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"70⤵
- Adds Run key to start application
- NTFS ADS
PID:1820 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"71⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- NTFS ADS
PID:4840 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"72⤵
- Checks computer location settings
- NTFS ADS
PID:436 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"73⤵
- Checks BIOS information in registry
- Adds Run key to start application
PID:1484 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"74⤵
- Checks BIOS information in registry
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"75⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:4712 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"76⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3792 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"77⤵
- System Location Discovery: System Language Discovery
PID:4492 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"78⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:2716 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"79⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3696 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"80⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
PID:1656 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"81⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3732 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"82⤵
- Checks BIOS information in registry
- Drops file in System32 directory
PID:3228 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"83⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:940 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:1120 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"85⤵
- Checks computer location settings
- NTFS ADS
PID:4468 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"86⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:2116 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"87⤵
- Checks computer location settings
- Modifies registry class
- NTFS ADS
PID:2224 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"88⤵
- Checks computer location settings
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"89⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3216 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"90⤵
- Checks BIOS information in registry
- NTFS ADS
PID:2736 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"91⤵
- Checks BIOS information in registry
- Adds Run key to start application
PID:1104 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"92⤵
- Drops file in System32 directory
- NTFS ADS
PID:4092 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"93⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- NTFS ADS
PID:1520 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"94⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3700 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"95⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3472 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"96⤵PID:444
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"97⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"98⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- NTFS ADS
PID:4412 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2472 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"100⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:2892 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"101⤵
- Checks BIOS information in registry
PID:3304 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"102⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:4712 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"104⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"105⤵
- System Location Discovery: System Language Discovery
PID:364 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"106⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"107⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:4128 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"108⤵
- Checks computer location settings
- Adds Run key to start application
PID:4580 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"109⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:3512 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"110⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3016 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"111⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"112⤵
- Checks BIOS information in registry
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4648 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"113⤵
- Checks BIOS information in registry
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"114⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:264 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"115⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:5088 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"116⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"118⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- NTFS ADS
PID:4296 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"119⤵
- Checks BIOS information in registry
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"120⤵
- Checks BIOS information in registry
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:896 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"121⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-