Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2024, 02:46
Behavioral task
behavioral1
Sample
e45765493caf8308294100c216f5276e_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
e45765493caf8308294100c216f5276e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
e45765493caf8308294100c216f5276e_JaffaCakes118.exe
-
Size
962KB
-
MD5
e45765493caf8308294100c216f5276e
-
SHA1
a555c794ed5d64b79c86fe42c7ba41e8135faed3
-
SHA256
dc93b82ab542530e3b506c0b693fe1aeb5b711ad870600a72c0df57206178f72
-
SHA512
2158752d3472f6328648716d93ef4117762dd071a0744646e66af46c8fd3bcc1aa1894e9de2d037e7ce01b72ecea8047427cfef0e55095b51f957deb7375a69a
-
SSDEEP
12288:fQ79F4wACY4QMnHRXC5714bir9VMQUUYMlc9IMDzHa6ACQTtLvcoKMGMMMCMMMp:faDdW52PHa6ytIoK9MMMCMMMp
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 64 IoCs
resource yara_rule behavioral2/memory/5020-80-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2500-83-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4332-87-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4596-90-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/912-92-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3036-94-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/912-98-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1792-101-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1948-104-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3824-107-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2644-110-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3188-112-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/800-114-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3188-117-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3832-121-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2332-123-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/844-125-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3416-128-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2056-132-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2980-135-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3672-138-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4956-140-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/5060-143-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1984-146-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2500-148-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1652-149-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2500-152-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4308-155-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2128-158-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4932-161-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/912-164-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4840-167-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3384-169-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2704-172-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2780-174-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2880-177-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1076-179-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3708-181-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1572-183-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3996-185-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3876-187-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3988-189-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2324-191-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3112-193-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4244-195-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1484-196-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/744-197-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4532-199-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3768-201-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/5080-204-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/952-206-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1192-208-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4916-210-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4876-212-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/5024-214-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1880-216-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2644-218-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/4468-219-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/3832-221-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1828-223-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/2188-225-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/1532-227-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/5072-229-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 behavioral2/memory/704-232-0x0000000000400000-0x00000000004C3000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Program.EXE Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation vssms32.exe -
Executes dropped EXE 64 IoCs
pid Process 5020 Program.EXE 1600 Program1.EXE 2500 vssms32.exe 4332 vssms32.exe 4596 vssms32.exe 3036 vssms32.exe 912 vssms32.exe 1792 vssms32.exe 1948 vssms32.exe 3824 vssms32.exe 2644 vssms32.exe 800 vssms32.exe 3188 vssms32.exe 3832 vssms32.exe 2332 vssms32.exe 844 vssms32.exe 3416 vssms32.exe 2056 vssms32.exe 2980 vssms32.exe 3672 vssms32.exe 4956 vssms32.exe 5060 vssms32.exe 1984 vssms32.exe 1652 vssms32.exe 2500 vssms32.exe 4308 vssms32.exe 2128 vssms32.exe 4932 vssms32.exe 912 vssms32.exe 4840 vssms32.exe 3384 vssms32.exe 2704 vssms32.exe 2780 vssms32.exe 2880 vssms32.exe 1076 vssms32.exe 3708 vssms32.exe 1572 vssms32.exe 3996 vssms32.exe 3876 vssms32.exe 3988 vssms32.exe 2324 vssms32.exe 3112 vssms32.exe 4244 vssms32.exe 1484 vssms32.exe 744 vssms32.exe 4532 vssms32.exe 3768 vssms32.exe 5080 vssms32.exe 952 vssms32.exe 1192 vssms32.exe 4916 vssms32.exe 4876 vssms32.exe 5024 vssms32.exe 1880 vssms32.exe 2644 vssms32.exe 4468 vssms32.exe 3832 vssms32.exe 1828 vssms32.exe 2188 vssms32.exe 1532 vssms32.exe 5072 vssms32.exe 704 vssms32.exe 4348 vssms32.exe 3648 vssms32.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Program.EXE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Program.EXE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Program.EXE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Program.EXE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Program.EXE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Program.EXE -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe" vssms32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File opened for modification C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe File created C:\Windows\SysWOW64\vssms32.exe vssms32.exe -
resource yara_rule behavioral2/memory/2480-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x000c000000023baa-5.dat upx behavioral2/memory/5020-11-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2480-19-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/2500-79-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/5020-80-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2500-83-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4596-85-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4332-87-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4596-90-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/912-92-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3036-94-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/912-98-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1792-101-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1948-104-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3824-107-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2644-110-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3188-112-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/800-114-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3188-117-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3832-121-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2332-123-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/844-125-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3416-128-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2056-132-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2980-135-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3672-138-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4956-140-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/5060-143-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1984-146-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2500-148-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1652-149-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2500-152-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4308-155-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2128-158-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4932-161-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/912-164-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4840-167-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3384-169-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2704-172-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2780-174-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2880-177-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1076-179-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3708-181-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1572-183-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3996-185-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3876-187-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3988-189-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2324-191-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3112-193-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4244-195-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1484-196-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/744-197-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4532-199-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/3768-201-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/5080-204-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/952-206-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1192-208-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4916-210-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4876-212-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/5024-214-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/1880-216-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/2644-218-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/memory/4468-219-0x0000000000400000-0x00000000004C3000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Globalization Program1.EXE File opened for modification C:\Windows\mib.bin Program1.EXE File opened for modification C:\Windows\WinSxS Program1.EXE File opened for modification C:\Windows\HelpPane.exe Program1.EXE File opened for modification C:\Windows\ja-JP Program1.EXE File opened for modification C:\Windows\SysWOW64 Program1.EXE File opened for modification C:\Windows\addins Program1.EXE File opened for modification C:\Windows\debug Program1.EXE File opened for modification C:\Windows\CSC Program1.EXE File opened for modification C:\Windows\Migration Program1.EXE File opened for modification C:\Windows\security Program1.EXE File opened for modification C:\Windows\WindowsUpdate.log Program1.EXE File opened for modification C:\Windows\WMSysPr9.prx Program1.EXE File opened for modification C:\Windows\IdentityCRL Program1.EXE File opened for modification C:\Windows\setuperr.log Program1.EXE File opened for modification C:\Windows\SKB Program1.EXE File opened for modification C:\Windows\servicing Program1.EXE File opened for modification C:\Windows\write.exe Program1.EXE File opened for modification C:\Windows\diagnostics Program1.EXE File opened for modification C:\Windows\PrintDialog Program1.EXE File opened for modification C:\Windows\Registration Program1.EXE File opened for modification C:\Windows\twain_32.dll Program1.EXE File opened for modification C:\Windows\apppatch Program1.EXE File opened for modification C:\Windows\notepad.exe Program1.EXE File opened for modification C:\Windows\SchCache Program1.EXE File opened for modification C:\Windows\wwwhack.ini Program1.EXE File opened for modification C:\Windows\bfsvc.exe Program1.EXE File opened for modification C:\Windows\Media Program1.EXE File created C:\Windows\uservars.dat Program1.EXE File opened for modification C:\Windows\Boot Program1.EXE File opened for modification C:\Windows\lsasetup.log Program1.EXE File opened for modification C:\Windows\SysmonDrv.sys Program1.EXE File opened for modification C:\Windows\Speech Program1.EXE File opened for modification C:\Windows\Program1.EXE Program1.EXE File opened for modification C:\Windows\schemas Program1.EXE File opened for modification C:\Windows\bcastdvr Program1.EXE File opened for modification C:\Windows\DiagTrack Program1.EXE File opened for modification C:\Windows\DtcInstall.log Program1.EXE File opened for modification C:\Windows\Tasks Program1.EXE File opened for modification C:\Windows\assembly Program1.EXE File opened for modification C:\Windows\explorer.exe Program1.EXE File opened for modification C:\Windows\ServiceProfiles Program1.EXE File opened for modification C:\Windows\SystemApps Program1.EXE File opened for modification C:\Windows\Fonts Program1.EXE File opened for modification C:\Windows\Setup Program1.EXE File opened for modification C:\Windows\setupact.log Program1.EXE File opened for modification C:\Windows\uk-UA Program1.EXE File opened for modification C:\Windows\en-US Program1.EXE File opened for modification C:\Windows\L2Schemas Program1.EXE File opened for modification C:\Windows\Temp Program1.EXE File opened for modification C:\Windows\Microsoft.NET Program1.EXE File opened for modification C:\Windows\rescache Program1.EXE File opened for modification C:\Windows\TAPI Program1.EXE File opened for modification C:\Windows\bootstat.dat Program1.EXE File opened for modification C:\Windows\ImmersiveControlPanel Program1.EXE File opened for modification C:\Windows\RemotePackages Program1.EXE File opened for modification C:\Windows\appcompat Program1.EXE File opened for modification C:\Windows\OCR Program1.EXE File opened for modification C:\Windows\winhlp32.exe Program1.EXE File created C:\Windows\Program.EXE e45765493caf8308294100c216f5276e_JaffaCakes118.exe File opened for modification C:\Windows\Logs Program1.EXE File opened for modification C:\Windows\tracing Program1.EXE File opened for modification C:\Windows\de-DE Program1.EXE File opened for modification C:\Windows\Sun Program1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3028 1600 WerFault.exe 84 2744 1600 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Program.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssms32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Program.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vssms32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2480 wrote to memory of 5020 2480 e45765493caf8308294100c216f5276e_JaffaCakes118.exe 83 PID 2480 wrote to memory of 5020 2480 e45765493caf8308294100c216f5276e_JaffaCakes118.exe 83 PID 2480 wrote to memory of 5020 2480 e45765493caf8308294100c216f5276e_JaffaCakes118.exe 83 PID 2480 wrote to memory of 1600 2480 e45765493caf8308294100c216f5276e_JaffaCakes118.exe 84 PID 2480 wrote to memory of 1600 2480 e45765493caf8308294100c216f5276e_JaffaCakes118.exe 84 PID 2480 wrote to memory of 1600 2480 e45765493caf8308294100c216f5276e_JaffaCakes118.exe 84 PID 5020 wrote to memory of 2500 5020 Program.EXE 85 PID 5020 wrote to memory of 2500 5020 Program.EXE 85 PID 5020 wrote to memory of 2500 5020 Program.EXE 85 PID 2500 wrote to memory of 4332 2500 vssms32.exe 86 PID 2500 wrote to memory of 4332 2500 vssms32.exe 86 PID 2500 wrote to memory of 4332 2500 vssms32.exe 86 PID 4332 wrote to memory of 4596 4332 vssms32.exe 87 PID 4332 wrote to memory of 4596 4332 vssms32.exe 87 PID 4332 wrote to memory of 4596 4332 vssms32.exe 87 PID 4596 wrote to memory of 3036 4596 vssms32.exe 88 PID 4596 wrote to memory of 3036 4596 vssms32.exe 88 PID 4596 wrote to memory of 3036 4596 vssms32.exe 88 PID 3036 wrote to memory of 912 3036 vssms32.exe 89 PID 3036 wrote to memory of 912 3036 vssms32.exe 89 PID 3036 wrote to memory of 912 3036 vssms32.exe 89 PID 912 wrote to memory of 1792 912 vssms32.exe 90 PID 912 wrote to memory of 1792 912 vssms32.exe 90 PID 912 wrote to memory of 1792 912 vssms32.exe 90 PID 1792 wrote to memory of 1948 1792 vssms32.exe 91 PID 1792 wrote to memory of 1948 1792 vssms32.exe 91 PID 1792 wrote to memory of 1948 1792 vssms32.exe 91 PID 1948 wrote to memory of 3824 1948 vssms32.exe 92 PID 1948 wrote to memory of 3824 1948 vssms32.exe 92 PID 1948 wrote to memory of 3824 1948 vssms32.exe 92 PID 3824 wrote to memory of 2644 3824 vssms32.exe 93 PID 3824 wrote to memory of 2644 3824 vssms32.exe 93 PID 3824 wrote to memory of 2644 3824 vssms32.exe 93 PID 2644 wrote to memory of 800 2644 vssms32.exe 94 PID 2644 wrote to memory of 800 2644 vssms32.exe 94 PID 2644 wrote to memory of 800 2644 vssms32.exe 94 PID 800 wrote to memory of 3188 800 vssms32.exe 95 PID 800 wrote to memory of 3188 800 vssms32.exe 95 PID 800 wrote to memory of 3188 800 vssms32.exe 95 PID 3188 wrote to memory of 3832 3188 vssms32.exe 98 PID 3188 wrote to memory of 3832 3188 vssms32.exe 98 PID 3188 wrote to memory of 3832 3188 vssms32.exe 98 PID 3832 wrote to memory of 2332 3832 vssms32.exe 101 PID 3832 wrote to memory of 2332 3832 vssms32.exe 101 PID 3832 wrote to memory of 2332 3832 vssms32.exe 101 PID 2332 wrote to memory of 844 2332 vssms32.exe 103 PID 2332 wrote to memory of 844 2332 vssms32.exe 103 PID 2332 wrote to memory of 844 2332 vssms32.exe 103 PID 844 wrote to memory of 3416 844 vssms32.exe 104 PID 844 wrote to memory of 3416 844 vssms32.exe 104 PID 844 wrote to memory of 3416 844 vssms32.exe 104 PID 3416 wrote to memory of 2056 3416 vssms32.exe 105 PID 3416 wrote to memory of 2056 3416 vssms32.exe 105 PID 3416 wrote to memory of 2056 3416 vssms32.exe 105 PID 2056 wrote to memory of 2980 2056 vssms32.exe 106 PID 2056 wrote to memory of 2980 2056 vssms32.exe 106 PID 2056 wrote to memory of 2980 2056 vssms32.exe 106 PID 2980 wrote to memory of 3672 2980 vssms32.exe 107 PID 2980 wrote to memory of 3672 2980 vssms32.exe 107 PID 2980 wrote to memory of 3672 2980 vssms32.exe 107 PID 3672 wrote to memory of 4956 3672 vssms32.exe 110 PID 3672 wrote to memory of 4956 3672 vssms32.exe 110 PID 3672 wrote to memory of 4956 3672 vssms32.exe 110 PID 4956 wrote to memory of 5060 4956 vssms32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\e45765493caf8308294100c216f5276e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e45765493caf8308294100c216f5276e_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\Program.EXE"C:\Windows\Program.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"11⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"13⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"14⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"17⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"23⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"24⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"25⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"26⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"32⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"34⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"35⤵
- Executes dropped EXE
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"36⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1572 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3876 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3988 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"42⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"43⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4244 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"44⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1484 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"45⤵
- Executes dropped EXE
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"46⤵
- Executes dropped EXE
- Modifies registry class
PID:4532 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"47⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"49⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"50⤵
- Executes dropped EXE
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"51⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4916 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4876 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"53⤵
- Checks computer location settings
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"55⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"56⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4468 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"58⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"59⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2188 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"61⤵
- Executes dropped EXE
- Modifies registry class
PID:5072 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"62⤵
- Executes dropped EXE
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"63⤵
- Checks computer location settings
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3648 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"65⤵
- Checks computer location settings
PID:2272 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"66⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"67⤵
- Checks computer location settings
- Adds Run key to start application
PID:2688 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"68⤵
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"69⤵
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"70⤵PID:4044
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"71⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"72⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5052 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"73⤵PID:4804
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"74⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"75⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"76⤵
- Checks computer location settings
PID:4492 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"77⤵
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"78⤵PID:3116
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"79⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"80⤵
- Checks computer location settings
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"81⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"82⤵
- Checks computer location settings
- Adds Run key to start application
PID:3916 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"83⤵
- Drops file in System32 directory
PID:4156 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"84⤵
- Adds Run key to start application
PID:1604 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"85⤵
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"86⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3584 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"87⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3616 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"88⤵
- Drops file in System32 directory
PID:732 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"89⤵
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"90⤵
- Checks computer location settings
- Adds Run key to start application
PID:1980 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"91⤵
- Checks computer location settings
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"92⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4768 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"93⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"94⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:4140 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"95⤵
- Drops file in System32 directory
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"96⤵
- Adds Run key to start application
PID:3248 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"97⤵PID:1340
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"98⤵
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"99⤵
- Checks computer location settings
- Modifies registry class
PID:3408 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"100⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"101⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"102⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"103⤵
- Checks computer location settings
- Modifies registry class
PID:4840 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"104⤵PID:4524
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"105⤵PID:3972
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"106⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:4504 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"107⤵
- Adds Run key to start application
PID:4764 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"108⤵PID:1692
-
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"109⤵
- Adds Run key to start application
PID:3540 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"110⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"111⤵
- Checks computer location settings
PID:1604 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"112⤵
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"113⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4968 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"114⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"115⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"116⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"117⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"118⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"120⤵
- Checks computer location settings
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\vssms32.exe"C:\Windows\system32\vssms32.exe"121⤵
- Modifies registry class
PID:388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-