Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2024, 07:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
e06e7a2a0929a1cfcfd7ecdb40407c6a
-
SHA1
c0597f475c927f7db4403ddd5cf84e05769df1ae
-
SHA256
69af7af8a3638b3e7b9580a3200e37b95ca42ea96d1d64c0891a64948aef1643
-
SHA512
4d77682fff4ce77c675b45171692edcc6f0e397f9e02cb94b35bfd29c976a07f02e81d898bf96e0afebceda0ffa8ceedb9d1ce873da8099361d1418fff8a095d
-
SSDEEP
49152:nCqjf61tAqHFeX67u3JxqnY0BCCnHYCnHr:ndz61xHkXOuDqY0ICnHYCnHr
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 64 IoCs
resource yara_rule behavioral2/memory/1376-24-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1376-67-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/224-71-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4464-75-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4696-77-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2252-80-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/800-83-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3848-86-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3064-92-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/216-89-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/216-95-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2936-99-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/756-102-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1904-105-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2160-108-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/740-110-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1848-112-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/264-114-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1872-116-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1848-118-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1872-121-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4476-124-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1860-127-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/5064-130-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3148-134-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1224-136-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/5096-139-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/956-142-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4588-145-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4452-149-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1592-152-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/5112-154-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2080-158-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2364-161-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4060-164-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4444-167-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/5028-168-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4776-170-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4596-172-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/800-174-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3848-176-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3064-178-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/996-180-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3328-182-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3736-184-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2044-186-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4396-188-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4492-190-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4348-192-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2712-194-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4996-196-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4860-198-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4316-200-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3084-202-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1160-204-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2996-205-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4100-207-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1624-208-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2220-210-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4624-212-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4696-214-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4356-216-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2404-218-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4300-220-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Program.EXE Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe -
Executes dropped EXE 64 IoCs
pid Process 1376 Program.EXE 3120 Program1.EXE 224 vssms32.exe 4464 vssms32.exe 4696 vssms32.exe 2252 vssms32.exe 800 vssms32.exe 3848 vssms32.exe 3064 vssms32.exe 216 vssms32.exe 2936 vssms32.exe 756 vssms32.exe 1904 vssms32.exe 2160 vssms32.exe 740 vssms32.exe 264 vssms32.exe 1848 vssms32.exe 1872 vssms32.exe 4476 vssms32.exe 1860 vssms32.exe 5064 vssms32.exe 3148 vssms32.exe 1224 vssms32.exe 5096 vssms32.exe 956 vssms32.exe 4588 vssms32.exe 4452 vssms32.exe 1592 vssms32.exe 5112 vssms32.exe 2080 vssms32.exe 2364 vssms32.exe 4060 vssms32.exe 4444 vssms32.exe 5028 vssms32.exe 4776 vssms32.exe 4596 vssms32.exe 800 vssms32.exe 3848 vssms32.exe 3064 vssms32.exe 996 vssms32.exe 3328 vssms32.exe 3736 vssms32.exe 2044 vssms32.exe 4396 vssms32.exe 4492 vssms32.exe 4348 vssms32.exe 2712 vssms32.exe 4996 vssms32.exe 4860 vssms32.exe 4316 vssms32.exe 3084 vssms32.exe 1160 vssms32.exe 2996 vssms32.exe 4100 vssms32.exe 1624 vssms32.exe 2220 vssms32.exe 4624 vssms32.exe 4696 vssms32.exe 4356 vssms32.exe 2404 vssms32.exe 4300 vssms32.exe 4112 vssms32.exe 376 vssms32.exe 2848 vssms32.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Program.EXE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Program.EXE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Program.EXE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Program.EXE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Program.EXE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Program.EXE -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1652 set thread context of 896 1652 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 83 -
resource yara_rule behavioral2/memory/896-1-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/896-4-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/896-2-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/896-7-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x0008000000023cb0-11.dat upx behavioral2/memory/1376-18-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1376-24-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/896-28-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/224-65-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1376-67-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4464-69-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/224-71-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4696-73-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4464-75-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4696-77-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2252-80-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/800-83-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3848-86-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3064-92-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/216-89-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/216-95-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2936-99-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/756-102-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1904-105-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2160-108-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/740-110-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1848-112-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/264-114-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1872-116-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1848-118-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1872-121-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4476-124-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1860-127-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/5064-130-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3148-134-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1224-136-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/5096-139-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/956-142-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4588-145-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4452-149-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1592-152-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/5112-154-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2080-158-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2364-161-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4060-164-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4444-167-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/5028-168-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4776-170-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4596-172-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/800-174-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3848-176-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3064-178-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/996-180-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3328-182-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3736-184-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2044-186-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4396-188-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4492-190-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4348-192-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2712-194-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4996-196-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4860-198-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4316-200-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3084-202-0x0000000000400000-0x00000000004C3000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Program.EXE e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe File created C:\Windows\Program1.EXE e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1652 wrote to memory of 896 1652 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 83 PID 1652 wrote to memory of 896 1652 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 83 PID 1652 wrote to memory of 896 1652 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 83 PID 1652 wrote to memory of 896 1652 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 83 PID 1652 wrote to memory of 896 1652 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 83 PID 896 wrote to memory of 1376 896 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 84 PID 896 wrote to memory of 1376 896 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 84 PID 896 wrote to memory of 1376 896 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 84 PID 896 wrote to memory of 3120 896 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 85 PID 896 wrote to memory of 3120 896 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 85 PID 896 wrote to memory of 3120 896 e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe 85 PID 1376 wrote to memory of 224 1376 Program.EXE 86 PID 1376 wrote to memory of 224 1376 Program.EXE 86 PID 1376 wrote to memory of 224 1376 Program.EXE 86 PID 224 wrote to memory of 4464 224 vssms32.exe 87 PID 224 wrote to memory of 4464 224 vssms32.exe 87 PID 224 wrote to memory of 4464 224 vssms32.exe 87 PID 4464 wrote to memory of 4696 4464 vssms32.exe 88 PID 4464 wrote to memory of 4696 4464 vssms32.exe 88 PID 4464 wrote to memory of 4696 4464 vssms32.exe 88 PID 4696 wrote to memory of 2252 4696 vssms32.exe 89 PID 4696 wrote to memory of 2252 4696 vssms32.exe 89 PID 4696 wrote to memory of 2252 4696 vssms32.exe 89 PID 2252 wrote to memory of 800 2252 vssms32.exe 90 PID 2252 wrote to memory of 800 2252 vssms32.exe 90 PID 2252 wrote to memory of 800 2252 vssms32.exe 90 PID 800 wrote to memory of 3848 800 vssms32.exe 91 PID 800 wrote to memory of 3848 800 vssms32.exe 91 PID 800 wrote to memory of 3848 800 vssms32.exe 91 PID 3848 wrote to memory of 3064 3848 vssms32.exe 92 PID 3848 wrote to memory of 3064 3848 vssms32.exe 92 PID 3848 wrote to memory of 3064 3848 vssms32.exe 92 PID 3064 wrote to memory of 216 3064 vssms32.exe 93 PID 3064 wrote to memory of 216 3064 vssms32.exe 93 PID 3064 wrote to memory of 216 3064 vssms32.exe 93 PID 216 wrote to memory of 2936 216 vssms32.exe 94 PID 216 wrote to memory of 2936 216 vssms32.exe 94 PID 216 wrote to memory of 2936 216 vssms32.exe 94 PID 2936 wrote to memory of 756 2936 vssms32.exe 95 PID 2936 wrote to memory of 756 2936 vssms32.exe 95 PID 2936 wrote to memory of 756 2936 vssms32.exe 95 PID 756 wrote to memory of 1904 756 vssms32.exe 96 PID 756 wrote to memory of 1904 756 vssms32.exe 96 PID 756 wrote to memory of 1904 756 vssms32.exe 96 PID 1904 wrote to memory of 2160 1904 vssms32.exe 97 PID 1904 wrote to memory of 2160 1904 vssms32.exe 97 PID 1904 wrote to memory of 2160 1904 vssms32.exe 97 PID 2160 wrote to memory of 740 2160 vssms32.exe 98 PID 2160 wrote to memory of 740 2160 vssms32.exe 98 PID 2160 wrote to memory of 740 2160 vssms32.exe 98 PID 740 wrote to memory of 264 740 vssms32.exe 99 PID 740 wrote to memory of 264 740 vssms32.exe 99 PID 740 wrote to memory of 264 740 vssms32.exe 99 PID 264 wrote to memory of 1848 264 vssms32.exe 100 PID 264 wrote to memory of 1848 264 vssms32.exe 100 PID 264 wrote to memory of 1848 264 vssms32.exe 100 PID 1848 wrote to memory of 1872 1848 vssms32.exe 101 PID 1848 wrote to memory of 1872 1848 vssms32.exe 101 PID 1848 wrote to memory of 1872 1848 vssms32.exe 101 PID 1872 wrote to memory of 4476 1872 vssms32.exe 102 PID 1872 wrote to memory of 4476 1872 vssms32.exe 102 PID 1872 wrote to memory of 4476 1872 vssms32.exe 102 PID 4476 wrote to memory of 1860 4476 vssms32.exe 103 PID 4476 wrote to memory of 1860 4476 vssms32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e06e7a2a0929a1cfcfd7ecdb40407c6a_JaffaCakes118.exe2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\Program.EXE"C:\Windows\Program.EXE"3⤵
- Checks computer location settings
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"14⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"16⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"22⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"23⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3148 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1224 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"26⤵
- Executes dropped EXE
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4588 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"28⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"31⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4060 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"35⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"36⤵
- Executes dropped EXE
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4596 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"40⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"43⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3736 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"46⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"47⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4348 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"49⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4996 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3084 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"53⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4100 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"56⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1624 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"59⤵
- Checks computer location settings
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"60⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4356 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"61⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4300 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"63⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4112 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2848 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"66⤵
- Checks computer location settings
PID:2412 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"67⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"68⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"69⤵
- Drops file in System32 directory
- Modifies registry class
PID:3620 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"70⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"71⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"72⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"73⤵
- Adds Run key to start application
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"74⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4452 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"75⤵
- Checks computer location settings
PID:1644 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"77⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4952 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"78⤵
- Adds Run key to start application
PID:2812 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"79⤵
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"80⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"81⤵
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"82⤵
- Checks computer location settings
PID:220 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"83⤵
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"84⤵PID:1544
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"85⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"86⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4208 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"87⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"88⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"89⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"90⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4492 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"92⤵
- Adds Run key to start application
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"93⤵
- Checks computer location settings
PID:736 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"94⤵
- Checks computer location settings
PID:4140 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"95⤵
- Checks computer location settings
PID:2276 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"96⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"97⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"98⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"99⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"100⤵
- Adds Run key to start application
PID:1592 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"101⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"102⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"103⤵
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"104⤵PID:2812
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"105⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4608 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"107⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"108⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3372 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"110⤵
- Adds Run key to start application
PID:756 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"111⤵
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"113⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"114⤵
- Checks computer location settings
PID:4476 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"115⤵
- Adds Run key to start application
PID:3592 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"116⤵
- Checks computer location settings
- Adds Run key to start application
PID:2816 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"117⤵PID:3192
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"118⤵PID:2444
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"119⤵PID:4904
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"120⤵
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"121⤵
- Checks computer location settings
- Adds Run key to start application
PID:4140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-