Analysis
-
max time kernel
117s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 05:47
Behavioral task
behavioral1
Sample
21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe
-
Size
74KB
-
MD5
21472adb4e82304c6bdeb9a3a5c85e1f
-
SHA1
03591d67d7ebedeecb5013feb1bea2729c1ffa70
-
SHA256
4421e0b6ed380376e69e9baee7ddd41a00627f421ce38f70a48b8e6db2f23e0f
-
SHA512
2bcb8b3dd31f91fd24fd160b92132c78d24b9047fcfd2b217b95587401ba69e24828a8fefde3362a68cd87e172f1fe0c1e477359aa2c1d2e8fd29f3d41c23398
-
SSDEEP
1536:kQUn3HdkTVdUa+2g7i+1cqq7NySwL8HtH4ZEziCk:k5HdkTgaHGtqAL4Nhip
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 60 3976 Process not Found 61 3976 Process not Found 62 3976 Process not Found 63 3976 Process not Found 64 3976 Process not Found -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation winkeybrd.exe -
Executes dropped EXE 64 IoCs
pid Process 2244 winkeybrd.exe 5992 winkeybrd.exe 2888 winkeybrd.exe 5912 winkeybrd.exe 3328 winkeybrd.exe 1540 winkeybrd.exe 2416 winkeybrd.exe 5880 winkeybrd.exe 1736 winkeybrd.exe 348 winkeybrd.exe 2956 winkeybrd.exe 5204 winkeybrd.exe 3552 winkeybrd.exe 5004 winkeybrd.exe 1636 winkeybrd.exe 4432 winkeybrd.exe 5916 winkeybrd.exe 3144 winkeybrd.exe 5356 winkeybrd.exe 2380 winkeybrd.exe 4608 winkeybrd.exe 3620 winkeybrd.exe 932 winkeybrd.exe 832 winkeybrd.exe 5408 winkeybrd.exe 4796 winkeybrd.exe 3036 winkeybrd.exe 5004 winkeybrd.exe 1504 winkeybrd.exe 2180 winkeybrd.exe 692 winkeybrd.exe 1116 winkeybrd.exe 3644 winkeybrd.exe 3228 winkeybrd.exe 2856 winkeybrd.exe 4596 winkeybrd.exe 3588 winkeybrd.exe 2624 winkeybrd.exe 3704 winkeybrd.exe 6068 winkeybrd.exe 5712 winkeybrd.exe 2696 winkeybrd.exe 4504 winkeybrd.exe 4200 winkeybrd.exe 3456 winkeybrd.exe 4552 winkeybrd.exe 5800 winkeybrd.exe 5328 winkeybrd.exe 5664 winkeybrd.exe 832 winkeybrd.exe 348 winkeybrd.exe 2364 winkeybrd.exe 2688 winkeybrd.exe 4188 winkeybrd.exe 5180 winkeybrd.exe 2704 winkeybrd.exe 2876 winkeybrd.exe 5072 winkeybrd.exe 1232 winkeybrd.exe 3504 winkeybrd.exe 5888 winkeybrd.exe 1868 winkeybrd.exe 2740 winkeybrd.exe 5588 winkeybrd.exe -
resource yara_rule behavioral2/memory/2188-1-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2188-0-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/files/0x000700000002336e-7.dat upx behavioral2/memory/2244-39-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2188-38-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5992-43-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5992-42-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2244-45-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5992-49-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2888-50-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2888-54-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5912-55-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5912-59-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3328-63-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1540-64-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1540-68-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2416-69-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5880-74-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2416-73-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5880-78-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1736-79-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/348-84-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1736-83-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/348-88-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2956-89-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5204-94-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2956-93-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3552-99-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5204-98-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5004-104-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3552-103-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1636-109-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5004-108-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1636-114-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4432-113-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4432-118-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5916-119-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3144-124-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5916-123-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3144-128-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5356-129-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5356-133-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2380-137-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4608-138-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4608-142-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3620-146-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/932-147-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/932-150-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/832-154-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4796-158-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5408-157-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3036-163-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4796-162-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5004-167-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3036-168-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/5004-172-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1504-173-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1504-177-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2180-178-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/692-183-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2180-182-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/692-188-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1116-189-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3644-196-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Keyboard Services = "winkeybrd.exe" winkeybrd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe 21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File created C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe File opened for modification C:\Windows\SysWOW64\winkeybrd.exe winkeybrd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winkeybrd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2188 21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2244 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5992 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2888 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5912 winkeybrd.exe Token: SeIncBasePriorityPrivilege 3328 winkeybrd.exe Token: SeIncBasePriorityPrivilege 1540 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2416 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5880 winkeybrd.exe Token: SeIncBasePriorityPrivilege 1736 winkeybrd.exe Token: SeIncBasePriorityPrivilege 348 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2956 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5204 winkeybrd.exe Token: SeIncBasePriorityPrivilege 3552 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5004 winkeybrd.exe Token: SeIncBasePriorityPrivilege 1636 winkeybrd.exe Token: SeIncBasePriorityPrivilege 4432 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5916 winkeybrd.exe Token: SeIncBasePriorityPrivilege 3144 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5356 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2380 winkeybrd.exe Token: SeIncBasePriorityPrivilege 4608 winkeybrd.exe Token: SeIncBasePriorityPrivilege 3620 winkeybrd.exe Token: SeIncBasePriorityPrivilege 932 winkeybrd.exe Token: SeIncBasePriorityPrivilege 832 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5408 winkeybrd.exe Token: SeIncBasePriorityPrivilege 4796 winkeybrd.exe Token: SeIncBasePriorityPrivilege 3036 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5004 winkeybrd.exe Token: SeIncBasePriorityPrivilege 1504 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2180 winkeybrd.exe Token: SeIncBasePriorityPrivilege 692 winkeybrd.exe Token: SeIncBasePriorityPrivilege 1116 winkeybrd.exe Token: SeIncBasePriorityPrivilege 3644 winkeybrd.exe Token: SeIncBasePriorityPrivilege 3228 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2856 winkeybrd.exe Token: SeIncBasePriorityPrivilege 4596 winkeybrd.exe Token: SeIncBasePriorityPrivilege 3588 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2624 winkeybrd.exe Token: SeIncBasePriorityPrivilege 3704 winkeybrd.exe Token: SeIncBasePriorityPrivilege 6068 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5712 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2696 winkeybrd.exe Token: SeIncBasePriorityPrivilege 4504 winkeybrd.exe Token: SeIncBasePriorityPrivilege 4200 winkeybrd.exe Token: SeIncBasePriorityPrivilege 3456 winkeybrd.exe Token: SeIncBasePriorityPrivilege 4552 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5800 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5328 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5664 winkeybrd.exe Token: SeIncBasePriorityPrivilege 832 winkeybrd.exe Token: SeIncBasePriorityPrivilege 348 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2364 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2688 winkeybrd.exe Token: SeIncBasePriorityPrivilege 4188 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5180 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2704 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2876 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5072 winkeybrd.exe Token: SeIncBasePriorityPrivilege 1232 winkeybrd.exe Token: SeIncBasePriorityPrivilege 3504 winkeybrd.exe Token: SeIncBasePriorityPrivilege 5888 winkeybrd.exe Token: SeIncBasePriorityPrivilege 1868 winkeybrd.exe Token: SeIncBasePriorityPrivilege 2740 winkeybrd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2244 2188 21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe 82 PID 2188 wrote to memory of 2244 2188 21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe 82 PID 2188 wrote to memory of 2244 2188 21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe 82 PID 2188 wrote to memory of 5372 2188 21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe 83 PID 2188 wrote to memory of 5372 2188 21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe 83 PID 2188 wrote to memory of 5372 2188 21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe 83 PID 2244 wrote to memory of 5992 2244 winkeybrd.exe 86 PID 2244 wrote to memory of 5992 2244 winkeybrd.exe 86 PID 2244 wrote to memory of 5992 2244 winkeybrd.exe 86 PID 2244 wrote to memory of 3968 2244 winkeybrd.exe 87 PID 2244 wrote to memory of 3968 2244 winkeybrd.exe 87 PID 2244 wrote to memory of 3968 2244 winkeybrd.exe 87 PID 5992 wrote to memory of 2888 5992 winkeybrd.exe 90 PID 5992 wrote to memory of 2888 5992 winkeybrd.exe 90 PID 5992 wrote to memory of 2888 5992 winkeybrd.exe 90 PID 5992 wrote to memory of 4112 5992 winkeybrd.exe 91 PID 5992 wrote to memory of 4112 5992 winkeybrd.exe 91 PID 5992 wrote to memory of 4112 5992 winkeybrd.exe 91 PID 2888 wrote to memory of 5912 2888 winkeybrd.exe 94 PID 2888 wrote to memory of 5912 2888 winkeybrd.exe 94 PID 2888 wrote to memory of 5912 2888 winkeybrd.exe 94 PID 2888 wrote to memory of 5924 2888 winkeybrd.exe 95 PID 2888 wrote to memory of 5924 2888 winkeybrd.exe 95 PID 2888 wrote to memory of 5924 2888 winkeybrd.exe 95 PID 5912 wrote to memory of 3328 5912 winkeybrd.exe 97 PID 5912 wrote to memory of 3328 5912 winkeybrd.exe 97 PID 5912 wrote to memory of 3328 5912 winkeybrd.exe 97 PID 5912 wrote to memory of 5956 5912 winkeybrd.exe 98 PID 5912 wrote to memory of 5956 5912 winkeybrd.exe 98 PID 5912 wrote to memory of 5956 5912 winkeybrd.exe 98 PID 3328 wrote to memory of 1540 3328 winkeybrd.exe 100 PID 3328 wrote to memory of 1540 3328 winkeybrd.exe 100 PID 3328 wrote to memory of 1540 3328 winkeybrd.exe 100 PID 3328 wrote to memory of 5212 3328 winkeybrd.exe 101 PID 3328 wrote to memory of 5212 3328 winkeybrd.exe 101 PID 3328 wrote to memory of 5212 3328 winkeybrd.exe 101 PID 1540 wrote to memory of 2416 1540 winkeybrd.exe 103 PID 1540 wrote to memory of 2416 1540 winkeybrd.exe 103 PID 1540 wrote to memory of 2416 1540 winkeybrd.exe 103 PID 1540 wrote to memory of 2216 1540 winkeybrd.exe 104 PID 1540 wrote to memory of 2216 1540 winkeybrd.exe 104 PID 1540 wrote to memory of 2216 1540 winkeybrd.exe 104 PID 2416 wrote to memory of 5880 2416 winkeybrd.exe 106 PID 2416 wrote to memory of 5880 2416 winkeybrd.exe 106 PID 2416 wrote to memory of 5880 2416 winkeybrd.exe 106 PID 2416 wrote to memory of 3584 2416 winkeybrd.exe 107 PID 2416 wrote to memory of 3584 2416 winkeybrd.exe 107 PID 2416 wrote to memory of 3584 2416 winkeybrd.exe 107 PID 5880 wrote to memory of 1736 5880 winkeybrd.exe 109 PID 5880 wrote to memory of 1736 5880 winkeybrd.exe 109 PID 5880 wrote to memory of 1736 5880 winkeybrd.exe 109 PID 5880 wrote to memory of 1964 5880 winkeybrd.exe 110 PID 5880 wrote to memory of 1964 5880 winkeybrd.exe 110 PID 5880 wrote to memory of 1964 5880 winkeybrd.exe 110 PID 1736 wrote to memory of 348 1736 winkeybrd.exe 112 PID 1736 wrote to memory of 348 1736 winkeybrd.exe 112 PID 1736 wrote to memory of 348 1736 winkeybrd.exe 112 PID 1736 wrote to memory of 4780 1736 winkeybrd.exe 113 PID 1736 wrote to memory of 4780 1736 winkeybrd.exe 113 PID 1736 wrote to memory of 4780 1736 winkeybrd.exe 113 PID 348 wrote to memory of 2956 348 winkeybrd.exe 115 PID 348 wrote to memory of 2956 348 winkeybrd.exe 115 PID 348 wrote to memory of 2956 348 winkeybrd.exe 115 PID 348 wrote to memory of 1160 348 winkeybrd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21472adb4e82304c6bdeb9a3a5c85e1f_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5992 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5912 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5880 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"10⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5204 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3552 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"16⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4432 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5916 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3144 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5356 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2380 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4608 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3620 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5408 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"28⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"29⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3228 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3704 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6068 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5712 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"43⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"44⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4200 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"47⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4552 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5800 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"49⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5328 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5664 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"51⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:348 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"53⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4188 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5180 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"60⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1232 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3504 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5888 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"65⤵
- Executes dropped EXE
PID:5588 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"66⤵
- Adds Run key to start application
PID:2068 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"67⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"68⤵
- Checks computer location settings
PID:3532 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"69⤵PID:4808
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"70⤵PID:2524
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"71⤵PID:5472
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"72⤵
- Modifies registry class
PID:4152 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"73⤵
- Checks computer location settings
PID:1540 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"74⤵PID:112
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"75⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"76⤵PID:872
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"77⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"78⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"79⤵PID:3524
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"80⤵
- Adds Run key to start application
PID:4740 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"81⤵
- Adds Run key to start application
PID:5148 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"82⤵
- Checks computer location settings
PID:1856 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"83⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"84⤵
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"85⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"86⤵
- Adds Run key to start application
- Modifies registry class
PID:4464 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"87⤵PID:3768
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"88⤵
- Drops file in System32 directory
PID:5304 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"89⤵
- Adds Run key to start application
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"90⤵PID:4608
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"91⤵
- Adds Run key to start application
PID:4268 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"92⤵PID:2404
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"93⤵
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"94⤵PID:5588
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"95⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"96⤵PID:3244
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"97⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"98⤵
- Checks computer location settings
PID:4176 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"99⤵PID:1944
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"100⤵
- Checks computer location settings
PID:5652 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"101⤵
- Checks computer location settings
PID:1728 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"102⤵
- Modifies registry class
PID:3520 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"103⤵PID:2732
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"104⤵PID:4756
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"105⤵
- Modifies registry class
PID:3788 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"106⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"107⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"108⤵PID:6048
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"109⤵
- Adds Run key to start application
PID:3524 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"110⤵
- Adds Run key to start application
PID:4472 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"111⤵
- Checks computer location settings
PID:3532 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"112⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"113⤵
- Adds Run key to start application
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"114⤵
- Drops file in System32 directory
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"115⤵
- Adds Run key to start application
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"116⤵PID:1116
-
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"117⤵
- Adds Run key to start application
PID:312 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"118⤵
- Adds Run key to start application
PID:3792 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"119⤵
- Checks computer location settings
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"120⤵
- Adds Run key to start application
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\winkeybrd.exe"C:\Windows\system32\winkeybrd.exe"121⤵
- Adds Run key to start application
PID:3712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-