88baa9717f39229de8fcf8f91adc4f21a0ea6eec31e377ec6ad40e7a03dfa050

Analysis

max time kernel
117s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe
Size

80KB
MD5

14c7a4bfd58a5f2c89c6c1464de87054
SHA1

65ae1bdd8454056e4a94e3849a23ec8e89fdde7c
SHA256

88baa9717f39229de8fcf8f91adc4f21a0ea6eec31e377ec6ad40e7a03dfa050
SHA512

9037a25e7fcc5075a079cfa0e55d5b06d14e50c4fcf29d74627ecd75735bf5b0ec09308d59c3d0e2b23972efe0672d5e056787ed8f86264657a6937b20e31b33
SSDEEP

1536:5mjw3P1VGqVx30iJITWPPwq7q5hA/1oOO2uKzA0ZptWcfEN:Mjw3NnDkkgQxq5m102NzAgtps

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	winboot.exe

Executes dropped EXE 64 IoCs

pid	Process
2432	winboot.exe
4768	winboot.exe
4692	winboot.exe
2720	winboot.exe
2788	winboot.exe
912	winboot.exe
2924	winboot.exe
2384	winboot.exe
2460	winboot.exe
3124	winboot.exe
2216	winboot.exe
4428	winboot.exe
5048	winboot.exe
2988	winboot.exe
5052	winboot.exe
4064	winboot.exe
4800	winboot.exe
2888	winboot.exe
1584	winboot.exe
4052	winboot.exe
3152	winboot.exe
2788	winboot.exe
2848	winboot.exe
2432	winboot.exe
3920	winboot.exe
5104	winboot.exe
4892	winboot.exe
4428	winboot.exe
5012	winboot.exe
4764	winboot.exe
3088	winboot.exe
4300	winboot.exe
3484	winboot.exe
4628	winboot.exe
3224	winboot.exe
2248	winboot.exe
2796	winboot.exe
3552	winboot.exe
5004	winboot.exe
2196	winboot.exe
3400	winboot.exe
4884	winboot.exe
4940	winboot.exe
4556	winboot.exe
1052	winboot.exe
964	winboot.exe
3864	winboot.exe
4984	winboot.exe
2764	winboot.exe
216	winboot.exe
4868	winboot.exe
1980	winboot.exe
2096	winboot.exe
4432	winboot.exe
872	winboot.exe
5072	winboot.exe
772	winboot.exe
5064	winboot.exe
2888	winboot.exe
4984	winboot.exe
4336	winboot.exe
1332	winboot.exe
2876	winboot.exe
3956	winboot.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2044-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2044-1-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0005000000022975-7.dat	upx
behavioral2/memory/2432-38-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2044-39-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2432-43-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4768-44-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4768-48-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4692-49-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2720-54-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4692-53-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2788-60-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2720-59-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/912-65-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2788-64-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2924-69-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/912-68-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2924-73-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2384-74-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2460-79-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2384-78-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2460-82-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3124-83-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2216-88-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3124-87-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2216-92-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4428-96-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/5048-100-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2988-101-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2988-105-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/5052-106-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/5052-110-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4064-111-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4064-116-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4800-115-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4800-119-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2888-123-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1584-125-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2460-124-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4052-130-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1584-129-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3152-136-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4052-135-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3152-140-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2788-141-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2788-145-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2848-146-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2848-148-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2432-151-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2432-155-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3920-158-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4892-163-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/5104-162-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4428-168-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4892-167-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/5012-173-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4428-172-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4764-178-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/5012-177-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4764-182-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3088-183-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4300-188-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3088-187-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4300-192-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Boot = "winboot.exe"	winboot.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File created	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe
File opened for modification	C:\Windows\SysWOW64\winboot.exe	winboot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winboot.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2044	14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2432	winboot.exe
Token: SeIncBasePriorityPrivilege	4768	winboot.exe
Token: SeIncBasePriorityPrivilege	4692	winboot.exe
Token: SeIncBasePriorityPrivilege	2720	winboot.exe
Token: SeIncBasePriorityPrivilege	2788	winboot.exe
Token: SeIncBasePriorityPrivilege	912	winboot.exe
Token: SeIncBasePriorityPrivilege	2924	winboot.exe
Token: SeIncBasePriorityPrivilege	2384	winboot.exe
Token: SeIncBasePriorityPrivilege	2460	winboot.exe
Token: SeIncBasePriorityPrivilege	3124	winboot.exe
Token: SeIncBasePriorityPrivilege	2216	winboot.exe
Token: SeIncBasePriorityPrivilege	4428	winboot.exe
Token: SeIncBasePriorityPrivilege	5048	winboot.exe
Token: SeIncBasePriorityPrivilege	2988	winboot.exe
Token: SeIncBasePriorityPrivilege	5052	winboot.exe
Token: SeIncBasePriorityPrivilege	4064	winboot.exe
Token: SeIncBasePriorityPrivilege	4800	winboot.exe
Token: SeIncBasePriorityPrivilege	2888	winboot.exe
Token: SeIncBasePriorityPrivilege	1584	winboot.exe
Token: SeIncBasePriorityPrivilege	4052	winboot.exe
Token: SeIncBasePriorityPrivilege	3152	winboot.exe
Token: SeIncBasePriorityPrivilege	2788	winboot.exe
Token: SeIncBasePriorityPrivilege	2848	winboot.exe
Token: SeIncBasePriorityPrivilege	2432	winboot.exe
Token: SeIncBasePriorityPrivilege	3920	winboot.exe
Token: SeIncBasePriorityPrivilege	5104	winboot.exe
Token: SeIncBasePriorityPrivilege	4892	winboot.exe
Token: SeIncBasePriorityPrivilege	4428	winboot.exe
Token: SeIncBasePriorityPrivilege	5012	winboot.exe
Token: SeIncBasePriorityPrivilege	4764	winboot.exe
Token: SeIncBasePriorityPrivilege	3088	winboot.exe
Token: SeIncBasePriorityPrivilege	4300	winboot.exe
Token: SeIncBasePriorityPrivilege	3484	winboot.exe
Token: SeIncBasePriorityPrivilege	4628	winboot.exe
Token: SeIncBasePriorityPrivilege	3224	winboot.exe
Token: SeIncBasePriorityPrivilege	2248	winboot.exe
Token: SeIncBasePriorityPrivilege	2796	winboot.exe
Token: SeIncBasePriorityPrivilege	3552	winboot.exe
Token: SeIncBasePriorityPrivilege	5004	winboot.exe
Token: SeIncBasePriorityPrivilege	2196	winboot.exe
Token: SeIncBasePriorityPrivilege	3400	winboot.exe
Token: SeIncBasePriorityPrivilege	4884	winboot.exe
Token: SeIncBasePriorityPrivilege	4940	winboot.exe
Token: SeIncBasePriorityPrivilege	4556	winboot.exe
Token: SeIncBasePriorityPrivilege	1052	winboot.exe
Token: SeIncBasePriorityPrivilege	964	winboot.exe
Token: SeIncBasePriorityPrivilege	3864	winboot.exe
Token: SeIncBasePriorityPrivilege	4984	winboot.exe
Token: SeIncBasePriorityPrivilege	2764	winboot.exe
Token: SeIncBasePriorityPrivilege	216	winboot.exe
Token: SeIncBasePriorityPrivilege	4868	winboot.exe
Token: SeIncBasePriorityPrivilege	1980	winboot.exe
Token: SeIncBasePriorityPrivilege	2096	winboot.exe
Token: SeIncBasePriorityPrivilege	4432	winboot.exe
Token: SeIncBasePriorityPrivilege	872	winboot.exe
Token: SeIncBasePriorityPrivilege	5072	winboot.exe
Token: SeIncBasePriorityPrivilege	772	winboot.exe
Token: SeIncBasePriorityPrivilege	5064	winboot.exe
Token: SeIncBasePriorityPrivilege	2888	winboot.exe
Token: SeIncBasePriorityPrivilege	4984	winboot.exe
Token: SeIncBasePriorityPrivilege	4336	winboot.exe
Token: SeIncBasePriorityPrivilege	1332	winboot.exe
Token: SeIncBasePriorityPrivilege	2876	winboot.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2432	2044	14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe	89
PID 2044 wrote to memory of 2432	2044	14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe	89
PID 2044 wrote to memory of 2432	2044	14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe	89
PID 2044 wrote to memory of 1316	2044	14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe	90
PID 2044 wrote to memory of 1316	2044	14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe	90
PID 2044 wrote to memory of 1316	2044	14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe	90
PID 2432 wrote to memory of 4768	2432	winboot.exe	92
PID 2432 wrote to memory of 4768	2432	winboot.exe	92
PID 2432 wrote to memory of 4768	2432	winboot.exe	92
PID 2432 wrote to memory of 2124	2432	winboot.exe	93
PID 2432 wrote to memory of 2124	2432	winboot.exe	93
PID 2432 wrote to memory of 2124	2432	winboot.exe	93
PID 4768 wrote to memory of 4692	4768	winboot.exe	95
PID 4768 wrote to memory of 4692	4768	winboot.exe	95
PID 4768 wrote to memory of 4692	4768	winboot.exe	95
PID 4768 wrote to memory of 468	4768	winboot.exe	96
PID 4768 wrote to memory of 468	4768	winboot.exe	96
PID 4768 wrote to memory of 468	4768	winboot.exe	96
PID 4692 wrote to memory of 2720	4692	winboot.exe	98
PID 4692 wrote to memory of 2720	4692	winboot.exe	98
PID 4692 wrote to memory of 2720	4692	winboot.exe	98
PID 4692 wrote to memory of 3936	4692	winboot.exe	99
PID 4692 wrote to memory of 3936	4692	winboot.exe	99
PID 4692 wrote to memory of 3936	4692	winboot.exe	99
PID 2720 wrote to memory of 2788	2720	winboot.exe	101
PID 2720 wrote to memory of 2788	2720	winboot.exe	101
PID 2720 wrote to memory of 2788	2720	winboot.exe	101
PID 2720 wrote to memory of 3400	2720	winboot.exe	102
PID 2720 wrote to memory of 3400	2720	winboot.exe	102
PID 2720 wrote to memory of 3400	2720	winboot.exe	102
PID 2788 wrote to memory of 912	2788	winboot.exe	104
PID 2788 wrote to memory of 912	2788	winboot.exe	104
PID 2788 wrote to memory of 912	2788	winboot.exe	104
PID 2788 wrote to memory of 3800	2788	winboot.exe	105
PID 2788 wrote to memory of 3800	2788	winboot.exe	105
PID 2788 wrote to memory of 3800	2788	winboot.exe	105
PID 912 wrote to memory of 2924	912	winboot.exe	109
PID 912 wrote to memory of 2924	912	winboot.exe	109
PID 912 wrote to memory of 2924	912	winboot.exe	109
PID 912 wrote to memory of 3972	912	winboot.exe	110
PID 912 wrote to memory of 3972	912	winboot.exe	110
PID 912 wrote to memory of 3972	912	winboot.exe	110
PID 2924 wrote to memory of 2384	2924	winboot.exe	112
PID 2924 wrote to memory of 2384	2924	winboot.exe	112
PID 2924 wrote to memory of 2384	2924	winboot.exe	112
PID 2924 wrote to memory of 1492	2924	winboot.exe	114
PID 2924 wrote to memory of 1492	2924	winboot.exe	114
PID 2924 wrote to memory of 1492	2924	winboot.exe	114
PID 2384 wrote to memory of 2460	2384	winboot.exe	117
PID 2384 wrote to memory of 2460	2384	winboot.exe	117
PID 2384 wrote to memory of 2460	2384	winboot.exe	117
PID 2384 wrote to memory of 4064	2384	winboot.exe	118
PID 2384 wrote to memory of 4064	2384	winboot.exe	118
PID 2384 wrote to memory of 4064	2384	winboot.exe	118
PID 2460 wrote to memory of 3124	2460	winboot.exe	121
PID 2460 wrote to memory of 3124	2460	winboot.exe	121
PID 2460 wrote to memory of 3124	2460	winboot.exe	121
PID 2460 wrote to memory of 4804	2460	winboot.exe	122
PID 2460 wrote to memory of 4804	2460	winboot.exe	122
PID 2460 wrote to memory of 4804	2460	winboot.exe	122
PID 3124 wrote to memory of 2216	3124	winboot.exe	124
PID 3124 wrote to memory of 2216	3124	winboot.exe	124
PID 3124 wrote to memory of 2216	3124	winboot.exe	124
PID 3124 wrote to memory of 2956	3124	winboot.exe	125

C:\Users\Admin\AppData\Local\Temp\14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14c7a4bfd58a5f2c89c6c1464de87054_JaffaCakes118.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\winboot.exe
  "C:\Windows\system32\winboot.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\winboot.exe
    "C:\Windows\system32\winboot.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\winboot.exe
      "C:\Windows\system32\winboot.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        32⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        47⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        52⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        61⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        67⤵
        Checks computer location settings
        
        PID:4432
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        68⤵
        Checks computer location settings
        
        PID:1492
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        69⤵
        Checks computer location settings
        
        PID:464
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        70⤵
        Adds Run key to start application
        
        PID:656
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        71⤵
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        72⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        73⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        74⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        75⤵
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        76⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        77⤵
        Checks computer location settings
        
        PID:5052
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        78⤵
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        79⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        82⤵
        Checks computer location settings
        
        PID:1244
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        83⤵
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        85⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        86⤵
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        87⤵
        
        PID:804
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        88⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        89⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        90⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        91⤵
        Checks computer location settings
        
        PID:2620
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        92⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        93⤵
        
        PID:216
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        94⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        95⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        96⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        97⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        98⤵
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        99⤵
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        100⤵
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        101⤵
        Checks computer location settings
        
        PID:2604
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        102⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        103⤵
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        104⤵
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        105⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        106⤵
        Checks computer location settings
        
        PID:388
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        107⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        109⤵
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        110⤵
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        111⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        112⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4348
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        113⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        114⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        115⤵
        Checks computer location settings
        
        PID:2848
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        116⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        117⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        118⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        119⤵
        Adds Run key to start application
        
        PID:1040
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        120⤵
        Checks computer location settings
        
        PID:4208
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        121⤵
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        122⤵
        
        PID:916
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        123⤵
        Adds Run key to start application
        
        PID:4576
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        124⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        125⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2788
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        126⤵
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        127⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4944
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        128⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        129⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        130⤵
        
        PID:916
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        131⤵
        
        PID:848
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        132⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        133⤵
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        134⤵
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        135⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        136⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        137⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        138⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        139⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        140⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        141⤵
        Adds Run key to start application
        
        PID:4032
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        142⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        143⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        144⤵
        Adds Run key to start application
        
        PID:3068
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        145⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        146⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1168
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        148⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        149⤵
        
        PID:700
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        150⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        151⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3948
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        152⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        153⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        154⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        156⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        157⤵
        Adds Run key to start application
        
        PID:4032
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        158⤵
        Checks computer location settings
        
        PID:3216
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        160⤵
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        161⤵
        Checks computer location settings
        
        PID:2172
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        162⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        163⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        164⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        165⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        166⤵
        Adds Run key to start application
        
        PID:2032
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        167⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        168⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        169⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        170⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        171⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        172⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        173⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        174⤵
        Checks computer location settings
        
        PID:1880
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        175⤵
        Adds Run key to start application
        
        PID:2604
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        177⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        178⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        179⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        180⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        181⤵
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        182⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        183⤵
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        184⤵
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        185⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        186⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        187⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        188⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        189⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        190⤵
        
        PID:228
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        191⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        192⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        193⤵
        Adds Run key to start application
        
        PID:4304
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        194⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        195⤵
        Checks computer location settings
        
        PID:3204
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        196⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        197⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        198⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        199⤵
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        200⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        201⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        202⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        203⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        204⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        205⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        206⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        207⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        208⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        209⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        210⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        211⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        212⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        213⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        214⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        215⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        216⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        217⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        218⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        219⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        220⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        221⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        222⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        223⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        224⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        225⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        226⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        227⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        228⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        229⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        230⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        231⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        232⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        233⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        234⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        235⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        236⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        237⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        238⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        239⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        240⤵
        
        PID:772
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        241⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        242⤵
        
        PID:916
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        243⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\winboot.exe
        
        "C:\Windows\system32\winboot.exe"
        244⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        244⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        243⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        242⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        241⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        240⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        239⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        238⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        237⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        236⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        235⤵
        
        PID:776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        236⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        234⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        233⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        232⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        231⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        230⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        229⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        228⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        227⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        226⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        225⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        224⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        223⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        222⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        221⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        220⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        219⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        218⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        217⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        216⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        215⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        214⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        213⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        212⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        211⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        210⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        209⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        208⤵
        
        PID:852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        207⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        206⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        205⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        204⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        203⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        202⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        201⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        200⤵
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        199⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        198⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        197⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        196⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        195⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        194⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        193⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        192⤵
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        191⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        190⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        189⤵
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        190⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        188⤵
        
        PID:2176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        187⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        186⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        185⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        184⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        183⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        182⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        181⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        180⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        179⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        178⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        177⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        176⤵
        
        PID:1328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        175⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        174⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        173⤵
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        172⤵
        
        PID:2196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        171⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        170⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        169⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        168⤵
        
        PID:776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        167⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        166⤵
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        165⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        164⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        163⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        162⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        161⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        160⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        159⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        158⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        157⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        156⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        155⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        154⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        153⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        152⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        151⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        150⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        149⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        148⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        147⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        146⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        145⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        144⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        143⤵
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        142⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        141⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        140⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        139⤵
        
        PID:3408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        138⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        137⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        136⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        135⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        134⤵
        
        PID:2908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        133⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        132⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        131⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        130⤵
        
        PID:3812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        129⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        128⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        127⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        126⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        125⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        124⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        123⤵
        
        PID:2848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        122⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        121⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        120⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        119⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        118⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        117⤵
        
        PID:1244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        116⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        115⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        114⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        113⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        112⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        111⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        110⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        109⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        108⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        107⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        106⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        105⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        104⤵
        
        PID:2212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        103⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        102⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        101⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        100⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        99⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        98⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        97⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        96⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        95⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        94⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        93⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        92⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        91⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        90⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        89⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        88⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        87⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        86⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        85⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        84⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        83⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        82⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        81⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        80⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        79⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        78⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        77⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        76⤵
        
        PID:4064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        75⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        74⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        73⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        72⤵
        
        PID:1264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        71⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        70⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        69⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        68⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        67⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        66⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        65⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        64⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        63⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        62⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        61⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        60⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        59⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        58⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        57⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        56⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        55⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        54⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        53⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        52⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        51⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        50⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        49⤵
        
        PID:3124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        48⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        47⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        46⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        45⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        44⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        43⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        42⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        41⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        40⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        39⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        38⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        37⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        36⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        35⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        34⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        33⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        32⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        31⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        30⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        29⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        28⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        27⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        26⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        25⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        24⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        23⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        22⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        21⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        20⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        19⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        18⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        17⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        16⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        15⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        14⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        13⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        12⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        11⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        10⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        9⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        8⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        7⤵
        
        PID:3800
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        6⤵
        
        PID:3400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
        5⤵
        
        PID:3936
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
      4⤵
      PID:468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\winboot.exe > nul
    3⤵
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\14C7A4~1.EXE > nul
  2⤵
  PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4340,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:8
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winboot.exe

Filesize
80KB

MD5
14c7a4bfd58a5f2c89c6c1464de87054

SHA1
65ae1bdd8454056e4a94e3849a23ec8e89fdde7c

SHA256
88baa9717f39229de8fcf8f91adc4f21a0ea6eec31e377ec6ad40e7a03dfa050

SHA512
9037a25e7fcc5075a079cfa0e55d5b06d14e50c4fcf29d74627ecd75735bf5b0ec09308d59c3d0e2b23972efe0672d5e056787ed8f86264657a6937b20e31b33

Download Submit
memory/216-260-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/872-276-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/912-65-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/912-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/964-247-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1052-244-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1052-241-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1584-129-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1584-125-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1980-267-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1980-264-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2044-39-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2044-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2044-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2044-2-0x000000000041B000-0x000000000042F000-memory.dmp

Filesize
80KB

Download
memory/2096-270-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2196-221-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2196-224-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-92-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2248-208-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2248-205-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2384-74-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2384-78-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2432-151-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2432-155-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2432-43-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2432-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2460-124-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2460-82-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2460-79-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2720-59-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2720-54-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2764-254-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2764-257-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2788-141-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2788-64-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2788-60-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2788-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2796-212-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2796-209-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2848-146-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2848-148-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2888-123-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2924-69-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2924-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2988-105-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2988-101-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3088-187-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3088-183-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3124-83-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3124-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3152-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3152-140-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3224-204-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3400-225-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3400-228-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3484-193-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3484-197-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3552-216-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3552-213-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3864-251-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3864-248-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3920-158-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4052-130-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4052-135-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4064-111-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4064-116-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4300-188-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4300-192-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4428-172-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4428-96-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4428-168-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4432-273-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4556-240-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4556-237-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4628-201-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4628-198-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4692-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4692-53-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4764-182-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4764-178-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4768-44-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4768-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4800-115-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4800-119-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4868-263-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4884-229-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4884-232-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4892-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4892-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4940-236-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4940-233-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5004-217-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5004-220-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5012-177-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5012-173-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5048-100-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5052-110-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5052-106-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5104-162-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads