Analysis
-
max time kernel
80s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 05:07
Behavioral task
behavioral1
Sample
14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe
-
Size
80KB
-
MD5
14c7a4bfd58a5f2c89c6c1464de87054
-
SHA1
65ae1bdd8454056e4a94e3849a23ec8e89fdde7c
-
SHA256
88baa9717f39229de8fcf8f91adc4f21a0ea6eec31e377ec6ad40e7a03dfa050
-
SHA512
9037a25e7fcc5075a079cfa0e55d5b06d14e50c4fcf29d74627ecd75735bf5b0ec09308d59c3d0e2b23972efe0672d5e056787ed8f86264657a6937b20e31b33
-
SSDEEP
1536:5mjw3P1VGqVx30iJITWPPwq7q5hA/1oOO2uKzA0ZptWcfEN:Mjw3NnDkkgQxq5m102NzAgtps
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2600 cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 2804 winboot.exe 2744 winboot.exe 1396 winboot.exe 1464 winboot.exe 3040 winboot.exe 696 winboot.exe 668 winboot.exe 764 winboot.exe 1680 winboot.exe 1032 winboot.exe 2708 winboot.exe 2592 winboot.exe 1392 winboot.exe 2776 winboot.exe 1464 winboot.exe 1748 winboot.exe 1148 winboot.exe 1328 winboot.exe 1080 winboot.exe 2984 winboot.exe 2720 winboot.exe 2912 winboot.exe 2452 winboot.exe 2020 winboot.exe 2732 winboot.exe 2156 winboot.exe 1656 winboot.exe 1968 winboot.exe 412 winboot.exe 108 winboot.exe 1088 winboot.exe 3052 winboot.exe 2652 winboot.exe 2680 winboot.exe 1988 winboot.exe 2696 winboot.exe 2916 winboot.exe 572 winboot.exe 1656 winboot.exe 1368 winboot.exe 1792 winboot.exe 1896 winboot.exe 1732 winboot.exe 3052 winboot.exe 2472 winboot.exe 852 winboot.exe 1560 winboot.exe 2732 winboot.exe 1640 winboot.exe 696 winboot.exe 1880 winboot.exe 328 winboot.exe 2604 winboot.exe 1776 winboot.exe 2736 winboot.exe 2804 winboot.exe 2444 winboot.exe 2908 winboot.exe 1728 winboot.exe 1464 winboot.exe 1876 winboot.exe 2168 winboot.exe 1328 winboot.exe 1668 winboot.exe -
Loads dropped DLL 64 IoCs
pid Process 952 14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe 952 14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe 2804 winboot.exe 2804 winboot.exe 2744 winboot.exe 2744 winboot.exe 1396 winboot.exe 1396 winboot.exe 1464 winboot.exe 1464 winboot.exe 3040 winboot.exe 3040 winboot.exe 696 winboot.exe 696 winboot.exe 668 winboot.exe 668 winboot.exe 764 winboot.exe 764 winboot.exe 1680 winboot.exe 1680 winboot.exe 1032 winboot.exe 1032 winboot.exe 2708 winboot.exe 2708 winboot.exe 2592 winboot.exe 2592 winboot.exe 1392 winboot.exe 1392 winboot.exe 2776 winboot.exe 2776 winboot.exe 1464 winboot.exe 1464 winboot.exe 1748 winboot.exe 1748 winboot.exe 1148 winboot.exe 1148 winboot.exe 1328 winboot.exe 1328 winboot.exe 1080 winboot.exe 1080 winboot.exe 2984 winboot.exe 2984 winboot.exe 2720 winboot.exe 2720 winboot.exe 2912 winboot.exe 2912 winboot.exe 2452 winboot.exe 2452 winboot.exe 2020 winboot.exe 2020 winboot.exe 2732 winboot.exe 2732 winboot.exe 2156 winboot.exe 2156 winboot.exe 1656 winboot.exe 1656 winboot.exe 1968 winboot.exe 1968 winboot.exe 412 winboot.exe 412 winboot.exe 108 winboot.exe 108 winboot.exe 1088 winboot.exe 1088 winboot.exe -
resource yara_rule behavioral1/memory/952-0-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/952-1-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/files/0x000b0000000141a2-6.dat upx behavioral1/memory/952-7-0x0000000002E70000-0x0000000002EA0000-memory.dmp upx behavioral1/memory/2804-16-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/952-19-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2744-27-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2804-26-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1396-32-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2744-34-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1464-41-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1396-43-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/3040-49-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1464-51-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/696-58-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/3040-59-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/696-65-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/764-71-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/668-73-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1680-80-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/764-81-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1680-89-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2708-96-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1032-95-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2708-102-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1392-109-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2592-111-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1392-118-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1464-124-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2776-126-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1748-134-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1464-131-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1748-141-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1148-142-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1148-147-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1328-150-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1080-151-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1080-157-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2984-160-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2720-162-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2720-165-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2912-169-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2452-170-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2452-172-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2020-176-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2156-181-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2732-180-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1656-183-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2156-185-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1656-188-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1968-189-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/412-191-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1968-192-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/412-194-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1088-198-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/108-197-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1088-205-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/3052-207-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/3052-211-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2680-215-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2652-214-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2680-218-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1988-219-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/1988-223-0x0000000000400000-0x0000000000430000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe" winboot.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File created C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe File opened for modification C:\Windows\SysWOW64\winboot.exe winboot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 952 14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2804 winboot.exe Token: SeIncBasePriorityPrivilege 2744 winboot.exe Token: SeIncBasePriorityPrivilege 1396 winboot.exe Token: SeIncBasePriorityPrivilege 1464 winboot.exe Token: SeIncBasePriorityPrivilege 3040 winboot.exe Token: SeIncBasePriorityPrivilege 696 winboot.exe Token: SeIncBasePriorityPrivilege 668 winboot.exe Token: SeIncBasePriorityPrivilege 764 winboot.exe Token: SeIncBasePriorityPrivilege 1680 winboot.exe Token: SeIncBasePriorityPrivilege 1032 winboot.exe Token: SeIncBasePriorityPrivilege 2708 winboot.exe Token: SeIncBasePriorityPrivilege 2592 winboot.exe Token: SeIncBasePriorityPrivilege 1392 winboot.exe Token: SeIncBasePriorityPrivilege 2776 winboot.exe Token: SeIncBasePriorityPrivilege 1464 winboot.exe Token: SeIncBasePriorityPrivilege 1748 winboot.exe Token: SeIncBasePriorityPrivilege 1148 winboot.exe Token: SeIncBasePriorityPrivilege 1328 winboot.exe Token: SeIncBasePriorityPrivilege 1080 winboot.exe Token: SeIncBasePriorityPrivilege 2984 winboot.exe Token: SeIncBasePriorityPrivilege 2720 winboot.exe Token: SeIncBasePriorityPrivilege 2912 winboot.exe Token: SeIncBasePriorityPrivilege 2452 winboot.exe Token: SeIncBasePriorityPrivilege 2020 winboot.exe Token: SeIncBasePriorityPrivilege 2732 winboot.exe Token: SeIncBasePriorityPrivilege 2156 winboot.exe Token: SeIncBasePriorityPrivilege 1656 winboot.exe Token: SeIncBasePriorityPrivilege 1968 winboot.exe Token: SeIncBasePriorityPrivilege 412 winboot.exe Token: SeIncBasePriorityPrivilege 108 winboot.exe Token: SeIncBasePriorityPrivilege 3052 winboot.exe Token: SeIncBasePriorityPrivilege 2652 winboot.exe Token: SeIncBasePriorityPrivilege 2680 winboot.exe Token: SeIncBasePriorityPrivilege 1988 winboot.exe Token: SeIncBasePriorityPrivilege 2696 winboot.exe Token: SeIncBasePriorityPrivilege 2916 winboot.exe Token: SeIncBasePriorityPrivilege 572 winboot.exe Token: SeIncBasePriorityPrivilege 1656 winboot.exe Token: SeIncBasePriorityPrivilege 1368 winboot.exe Token: SeIncBasePriorityPrivilege 1792 winboot.exe Token: SeIncBasePriorityPrivilege 1896 winboot.exe Token: SeIncBasePriorityPrivilege 1732 winboot.exe Token: SeIncBasePriorityPrivilege 3052 winboot.exe Token: SeIncBasePriorityPrivilege 2472 winboot.exe Token: SeIncBasePriorityPrivilege 852 winboot.exe Token: SeIncBasePriorityPrivilege 1560 winboot.exe Token: SeIncBasePriorityPrivilege 2732 winboot.exe Token: SeIncBasePriorityPrivilege 1640 winboot.exe Token: SeIncBasePriorityPrivilege 696 winboot.exe Token: SeIncBasePriorityPrivilege 1880 winboot.exe Token: SeIncBasePriorityPrivilege 328 winboot.exe Token: SeIncBasePriorityPrivilege 2604 winboot.exe Token: SeIncBasePriorityPrivilege 1776 winboot.exe Token: SeIncBasePriorityPrivilege 2736 winboot.exe Token: SeIncBasePriorityPrivilege 2804 winboot.exe Token: SeIncBasePriorityPrivilege 2444 winboot.exe Token: SeIncBasePriorityPrivilege 2908 winboot.exe Token: SeIncBasePriorityPrivilege 1728 winboot.exe Token: SeIncBasePriorityPrivilege 1464 winboot.exe Token: SeIncBasePriorityPrivilege 1876 winboot.exe Token: SeIncBasePriorityPrivilege 2168 winboot.exe Token: SeIncBasePriorityPrivilege 1328 winboot.exe Token: SeIncBasePriorityPrivilege 1668 winboot.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 952 wrote to memory of 2804 952 14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe 28 PID 952 wrote to memory of 2804 952 14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe 28 PID 952 wrote to memory of 2804 952 14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe 28 PID 952 wrote to memory of 2804 952 14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe 28 PID 952 wrote to memory of 2600 952 14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe 29 PID 952 wrote to memory of 2600 952 14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe 29 PID 952 wrote to memory of 2600 952 14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe 29 PID 952 wrote to memory of 2600 952 14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe 29 PID 2804 wrote to memory of 2744 2804 winboot.exe 31 PID 2804 wrote to memory of 2744 2804 winboot.exe 31 PID 2804 wrote to memory of 2744 2804 winboot.exe 31 PID 2804 wrote to memory of 2744 2804 winboot.exe 31 PID 2804 wrote to memory of 2480 2804 winboot.exe 32 PID 2804 wrote to memory of 2480 2804 winboot.exe 32 PID 2804 wrote to memory of 2480 2804 winboot.exe 32 PID 2804 wrote to memory of 2480 2804 winboot.exe 32 PID 2744 wrote to memory of 1396 2744 winboot.exe 34 PID 2744 wrote to memory of 1396 2744 winboot.exe 34 PID 2744 wrote to memory of 1396 2744 winboot.exe 34 PID 2744 wrote to memory of 1396 2744 winboot.exe 34 PID 2744 wrote to memory of 2672 2744 winboot.exe 35 PID 2744 wrote to memory of 2672 2744 winboot.exe 35 PID 2744 wrote to memory of 2672 2744 winboot.exe 35 PID 2744 wrote to memory of 2672 2744 winboot.exe 35 PID 1396 wrote to memory of 1464 1396 winboot.exe 37 PID 1396 wrote to memory of 1464 1396 winboot.exe 37 PID 1396 wrote to memory of 1464 1396 winboot.exe 37 PID 1396 wrote to memory of 1464 1396 winboot.exe 37 PID 1396 wrote to memory of 2544 1396 winboot.exe 38 PID 1396 wrote to memory of 2544 1396 winboot.exe 38 PID 1396 wrote to memory of 2544 1396 winboot.exe 38 PID 1396 wrote to memory of 2544 1396 winboot.exe 38 PID 1464 wrote to memory of 3040 1464 winboot.exe 40 PID 1464 wrote to memory of 3040 1464 winboot.exe 40 PID 1464 wrote to memory of 3040 1464 winboot.exe 40 PID 1464 wrote to memory of 3040 1464 winboot.exe 40 PID 1464 wrote to memory of 2288 1464 winboot.exe 41 PID 1464 wrote to memory of 2288 1464 winboot.exe 41 PID 1464 wrote to memory of 2288 1464 winboot.exe 41 PID 1464 wrote to memory of 2288 1464 winboot.exe 41 PID 3040 wrote to memory of 696 3040 winboot.exe 43 PID 3040 wrote to memory of 696 3040 winboot.exe 43 PID 3040 wrote to memory of 696 3040 winboot.exe 43 PID 3040 wrote to memory of 696 3040 winboot.exe 43 PID 3040 wrote to memory of 752 3040 winboot.exe 44 PID 3040 wrote to memory of 752 3040 winboot.exe 44 PID 3040 wrote to memory of 752 3040 winboot.exe 44 PID 3040 wrote to memory of 752 3040 winboot.exe 44 PID 696 wrote to memory of 668 696 winboot.exe 46 PID 696 wrote to memory of 668 696 winboot.exe 46 PID 696 wrote to memory of 668 696 winboot.exe 46 PID 696 wrote to memory of 668 696 winboot.exe 46 PID 696 wrote to memory of 412 696 winboot.exe 47 PID 696 wrote to memory of 412 696 winboot.exe 47 PID 696 wrote to memory of 412 696 winboot.exe 47 PID 696 wrote to memory of 412 696 winboot.exe 47 PID 668 wrote to memory of 764 668 winboot.exe 49 PID 668 wrote to memory of 764 668 winboot.exe 49 PID 668 wrote to memory of 764 668 winboot.exe 49 PID 668 wrote to memory of 764 668 winboot.exe 49 PID 668 wrote to memory of 616 668 winboot.exe 50 PID 668 wrote to memory of 616 668 winboot.exe 50 PID 668 wrote to memory of 616 668 winboot.exe 50 PID 668 wrote to memory of 616 668 winboot.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:764 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1392 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1148 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1080 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:412 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:108 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2916 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:572 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2472 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:852 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"48⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:696 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:328 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"64⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"66⤵PID:2480
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"67⤵PID:2900
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"68⤵PID:3020
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"69⤵PID:1996
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"70⤵PID:2696
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"71⤵
- Adds Run key to start application
PID:1744 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"72⤵PID:1196
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"73⤵PID:1552
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"74⤵PID:1972
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"75⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"76⤵PID:2800
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"77⤵PID:2648
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"78⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"79⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"80⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"81⤵PID:2316
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"82⤵PID:1156
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"83⤵PID:976
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"84⤵PID:2980
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"85⤵
- Adds Run key to start application
PID:3068 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"86⤵PID:2596
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"87⤵PID:2748
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"88⤵
- Adds Run key to start application
PID:332 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"89⤵PID:3024
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"90⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"91⤵PID:1300
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"92⤵
- Adds Run key to start application
PID:2008 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"93⤵PID:2308
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"94⤵PID:1712
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"95⤵PID:696
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"96⤵PID:2980
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"97⤵
- Adds Run key to start application
PID:2936 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"98⤵PID:2588
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"99⤵
- Adds Run key to start application
PID:2904 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"100⤵
- Adds Run key to start application
PID:2900 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"101⤵PID:1860
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"102⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"103⤵PID:1492
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"104⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"105⤵PID:2696
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"106⤵PID:1352
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"107⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"108⤵PID:2660
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"109⤵
- Adds Run key to start application
PID:2496 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"110⤵PID:1776
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"111⤵
- Adds Run key to start application
PID:2904 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"112⤵
- Adds Run key to start application
PID:1988 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"113⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"114⤵
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"115⤵PID:1524
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"116⤵PID:1196
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"117⤵
- Adds Run key to start application
PID:1780 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"118⤵PID:2312
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"119⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"120⤵PID:2604
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"121⤵PID:2476
-
C:\Windows\SysWOW64\winboot.exe"C:\Windows\system32\winboot.exe"122⤵PID:1100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-