modiloader | 8f77ef7c38ba8d72c7f1fc411801c7b7c5b42d7a0f7c877db8624f8e8113eb39

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Size

776KB
MD5

fbdbb31466b09f812976925578b1e053
SHA1

e7a204ec8cff2ca0e430656dcec8d1819b8b0618
SHA256

8f77ef7c38ba8d72c7f1fc411801c7b7c5b42d7a0f7c877db8624f8e8113eb39
SHA512

831a36ac984ede03b3b6e9d482b179ce9f49f67b5258bd4e809f0f96a82eb962cf1e2d096ed0cf7ff72005246c6b6040c506e152cb4b178b4d2b29052bc5f2ba
SSDEEP

12288:ywtYgRM3k33tUwRyz52ccrFa0vhPROrliSajsBB0u0b/bnwgc:rtYgRIk33NRyF2hrdvjOr70zbwgc

Score

10^/10

modiloader defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 10 IoCs

resource	yara_rule
behavioral2/memory/4656-9-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral2/memory/4656-12-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral2/memory/4656-74-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral2/memory/536-89-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral2/memory/536-92-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral2/memory/4352-107-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral2/memory/4352-110-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral2/memory/768-125-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral2/memory/768-127-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral2/memory/3268-144-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	vssms32.exe

Executes dropped EXE 46 IoCs

pid	Process
1504	vssms32.exe
536	vssms32.exe
364	vssms32.exe
4352	vssms32.exe
2488	vssms32.exe
768	vssms32.exe
1848	vssms32.exe
3268	vssms32.exe
5096	vssms32.exe
1636	vssms32.exe
4284	vssms32.exe
5028	vssms32.exe
2332	vssms32.exe
4748	vssms32.exe
3388	vssms32.exe
964	vssms32.exe
4996	vssms32.exe
4832	vssms32.exe
3448	vssms32.exe
1192	vssms32.exe
2056	vssms32.exe
2296	vssms32.exe
3172	vssms32.exe
4304	vssms32.exe
1688	vssms32.exe
3548	vssms32.exe
2052	vssms32.exe
1580	vssms32.exe
1312	vssms32.exe
3180	vssms32.exe
4728	vssms32.exe
4640	vssms32.exe
2148	vssms32.exe
4648	vssms32.exe
2304	vssms32.exe
4972	vssms32.exe
1420	vssms32.exe
4588	vssms32.exe
1480	vssms32.exe
3924	vssms32.exe
2124	vssms32.exe
1516	vssms32.exe
1224	vssms32.exe
420	vssms32.exe
2788	vssms32.exe
1848	vssms32.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1504 set thread context of 536	1504	vssms32.exe	84
PID 364 set thread context of 4352	364	vssms32.exe	91
PID 2488 set thread context of 768	2488	vssms32.exe	95
PID 1848 set thread context of 3268	1848	vssms32.exe	97
PID 5096 set thread context of 1636	5096	vssms32.exe	100
PID 4284 set thread context of 5028	4284	vssms32.exe	103
PID 2332 set thread context of 4748	2332	vssms32.exe	105
PID 3388 set thread context of 964	3388	vssms32.exe	107
PID 4996 set thread context of 4832	4996	vssms32.exe	109
PID 3448 set thread context of 1192	3448	vssms32.exe	111
PID 2056 set thread context of 2296	2056	vssms32.exe	113
PID 3172 set thread context of 4304	3172	vssms32.exe	115
PID 1688 set thread context of 3548	1688	vssms32.exe	117
PID 2052 set thread context of 1580	2052	vssms32.exe	119
PID 1312 set thread context of 3180	1312	vssms32.exe	121
PID 4728 set thread context of 4640	4728	vssms32.exe	123
PID 2148 set thread context of 4648	2148	vssms32.exe	125
PID 2304 set thread context of 4972	2304	vssms32.exe	127
PID 1420 set thread context of 4588	1420	vssms32.exe	129
PID 1480 set thread context of 3924	1480	vssms32.exe	131
PID 2124 set thread context of 1516	2124	vssms32.exe	133
PID 1224 set thread context of 420	1224	vssms32.exe	135
PID 2788 set thread context of 1848	2788	vssms32.exe	137

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vssms32.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
1504	vssms32.exe
364	vssms32.exe
2488	vssms32.exe
1848	vssms32.exe
5096	vssms32.exe
4284	vssms32.exe
2332	vssms32.exe
3388	vssms32.exe
4996	vssms32.exe
3448	vssms32.exe
2056	vssms32.exe
3172	vssms32.exe
1688	vssms32.exe
2052	vssms32.exe
1312	vssms32.exe
4728	vssms32.exe
2148	vssms32.exe
2304	vssms32.exe
1420	vssms32.exe
1480	vssms32.exe
2124	vssms32.exe
1224	vssms32.exe
2788	vssms32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 1752 wrote to memory of 4656	1752	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	82
PID 4656 wrote to memory of 1504	4656	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	83
PID 4656 wrote to memory of 1504	4656	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	83
PID 4656 wrote to memory of 1504	4656	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	83
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 1504 wrote to memory of 536	1504	vssms32.exe	84
PID 536 wrote to memory of 364	536	vssms32.exe	90
PID 536 wrote to memory of 364	536	vssms32.exe	90
PID 536 wrote to memory of 364	536	vssms32.exe	90
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 364 wrote to memory of 4352	364	vssms32.exe	91
PID 4352 wrote to memory of 2488	4352	vssms32.exe	94
PID 4352 wrote to memory of 2488	4352	vssms32.exe	94
PID 4352 wrote to memory of 2488	4352	vssms32.exe	94
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 2488 wrote to memory of 768	2488	vssms32.exe	95
PID 768 wrote to memory of 1848	768	vssms32.exe	96
PID 768 wrote to memory of 1848	768	vssms32.exe	96
PID 768 wrote to memory of 1848	768	vssms32.exe	96

C:\Users\Admin\AppData\Local\Temp\fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\vssms32.exe
    "C:\Windows\system32\vssms32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\vssms32.exe
      C:\Windows\SysWOW64\vssms32.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:364
      - C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5096
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4284
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3388
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4996
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3448
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3172
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4728
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:420
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vssms32.exe

Filesize
776KB

MD5
fbdbb31466b09f812976925578b1e053

SHA1
e7a204ec8cff2ca0e430656dcec8d1819b8b0618

SHA256
8f77ef7c38ba8d72c7f1fc411801c7b7c5b42d7a0f7c877db8624f8e8113eb39

SHA512
831a36ac984ede03b3b6e9d482b179ce9f49f67b5258bd4e809f0f96a82eb962cf1e2d096ed0cf7ff72005246c6b6040c506e152cb4b178b4d2b29052bc5f2ba

Download Submit
memory/536-90-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/536-92-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/536-89-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/768-127-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/768-125-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3268-144-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4352-110-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4352-107-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-13-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4656-74-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-2-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-3-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-5-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-7-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-12-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-9-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads