Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/12/2024, 05:03
Behavioral task
behavioral1
Sample
d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe
-
Size
186KB
-
MD5
d55f2c86aa37481e890c2ae73e0d0776
-
SHA1
a2b912d05735877e2f36251d89b914d1c2ad9aa6
-
SHA256
0db33a2a637c0bbad563c80db60ce59c68a8af018fe39aa5042e85308cfbf29c
-
SHA512
c3cbc9972ffc0a779b53c7fec715d57435e2250234e0fc652fd24a4c26b1a122a69b4dc043258a09a07f17fc3894191140f62a43e7ed3cbde03e25083b6643b5
-
SSDEEP
3072:5tzHS0RyWuX3xNHz+3IhuYa13atOstcAf47EkKtFpLG5A5Xw8KCHvkxKcyJvOXIj:zLTSvHDuYa1IcAP1FEUcyJWXe9
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 64 IoCs
resource yara_rule behavioral1/files/0x000a000000012263-1.dat modiloader_stage2 behavioral1/memory/2136-14-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2644-30-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2640-62-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1680-98-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/660-131-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/824-129-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1448-132-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2408-127-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1772-130-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2012-128-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2528-125-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2620-126-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1700-123-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1060-121-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2600-124-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/288-119-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/748-122-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1724-120-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1764-117-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1376-115-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1336-118-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1852-116-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2024-113-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1368-114-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2028-111-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1484-112-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1240-109-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2328-110-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1480-107-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1064-105-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/772-108-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1468-103-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2296-101-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1760-106-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1580-104-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2168-99-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1244-102-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1988-97-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1984-100-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2276-95-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2240-96-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2512-93-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1824-94-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1320-91-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/3048-89-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2896-83-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2552-92-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2852-90-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/3044-86-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2660-75-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2412-67-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2544-78-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2356-70-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/528-59-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/448-51-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2056-43-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2908-54-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2720-46-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2696-35-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/1708-38-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2884-27-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2712-19-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral1/memory/2864-22-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 -
Executes dropped EXE 64 IoCs
pid Process 2136 booter.exe 2712 booter.exe 2864 booter.exe 2884 booter.exe 2644 booter.exe 2696 booter.exe 1708 booter.exe 2056 booter.exe 2720 booter.exe 448 booter.exe 2908 booter.exe 528 booter.exe 2640 booter.exe 2412 booter.exe 2356 booter.exe 2660 booter.exe 2544 booter.exe 2896 booter.exe 3044 booter.exe 3048 booter.exe 2852 booter.exe 1320 booter.exe 2552 booter.exe 2512 booter.exe 1824 booter.exe 2276 booter.exe 2240 booter.exe 1988 booter.exe 1680 booter.exe 2168 booter.exe 1984 booter.exe 2296 booter.exe 1244 booter.exe 1468 booter.exe 1580 booter.exe 1064 booter.exe 1760 booter.exe 1480 booter.exe 772 booter.exe 1240 booter.exe 2328 booter.exe 2028 booter.exe 1484 booter.exe 2024 booter.exe 1368 booter.exe 1376 booter.exe 1852 booter.exe 1764 booter.exe 1336 booter.exe 288 booter.exe 1724 booter.exe 1060 booter.exe 748 booter.exe 1700 booter.exe 2600 booter.exe 2528 booter.exe 2620 booter.exe 2408 booter.exe 2012 booter.exe 824 booter.exe 1772 booter.exe 660 booter.exe 1448 booter.exe 2424 booter.exe -
Loads dropped DLL 64 IoCs
pid Process 2956 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 2956 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 2136 booter.exe 2136 booter.exe 2712 booter.exe 2712 booter.exe 2864 booter.exe 2864 booter.exe 2884 booter.exe 2884 booter.exe 2644 booter.exe 2644 booter.exe 2696 booter.exe 2696 booter.exe 1708 booter.exe 1708 booter.exe 2056 booter.exe 2056 booter.exe 2720 booter.exe 2720 booter.exe 448 booter.exe 448 booter.exe 2908 booter.exe 2908 booter.exe 528 booter.exe 528 booter.exe 2640 booter.exe 2640 booter.exe 2412 booter.exe 2412 booter.exe 2356 booter.exe 2356 booter.exe 2660 booter.exe 2660 booter.exe 2544 booter.exe 2544 booter.exe 2896 booter.exe 2896 booter.exe 3044 booter.exe 3044 booter.exe 3048 booter.exe 3048 booter.exe 2852 booter.exe 2852 booter.exe 1320 booter.exe 1320 booter.exe 2552 booter.exe 2552 booter.exe 2512 booter.exe 2512 booter.exe 1824 booter.exe 1824 booter.exe 2276 booter.exe 2276 booter.exe 2240 booter.exe 2240 booter.exe 1988 booter.exe 1988 booter.exe 1680 booter.exe 1680 booter.exe 2168 booter.exe 2168 booter.exe 1984 booter.exe 1984 booter.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2956 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 2956 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 2136 booter.exe 2136 booter.exe 2712 booter.exe 2712 booter.exe 2864 booter.exe 2864 booter.exe 2884 booter.exe 2884 booter.exe 2644 booter.exe 2644 booter.exe 2696 booter.exe 2696 booter.exe 1708 booter.exe 1708 booter.exe 2056 booter.exe 2056 booter.exe 2720 booter.exe 2720 booter.exe 448 booter.exe 448 booter.exe 2908 booter.exe 2908 booter.exe 528 booter.exe 528 booter.exe 2640 booter.exe 2640 booter.exe 2412 booter.exe 2412 booter.exe 2356 booter.exe 2356 booter.exe 2660 booter.exe 2660 booter.exe 2544 booter.exe 2544 booter.exe 2896 booter.exe 2896 booter.exe 3044 booter.exe 3044 booter.exe 3048 booter.exe 3048 booter.exe 2852 booter.exe 2852 booter.exe 1320 booter.exe 1320 booter.exe 2552 booter.exe 2552 booter.exe 2512 booter.exe 2512 booter.exe 1824 booter.exe 1824 booter.exe 2276 booter.exe 2276 booter.exe 2240 booter.exe 2240 booter.exe 1988 booter.exe 1988 booter.exe 1680 booter.exe 1680 booter.exe 2168 booter.exe 2168 booter.exe 1984 booter.exe 1984 booter.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2136 2956 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2136 2956 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2136 2956 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2136 2956 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2712 2136 booter.exe 31 PID 2136 wrote to memory of 2712 2136 booter.exe 31 PID 2136 wrote to memory of 2712 2136 booter.exe 31 PID 2136 wrote to memory of 2712 2136 booter.exe 31 PID 2712 wrote to memory of 2864 2712 booter.exe 32 PID 2712 wrote to memory of 2864 2712 booter.exe 32 PID 2712 wrote to memory of 2864 2712 booter.exe 32 PID 2712 wrote to memory of 2864 2712 booter.exe 32 PID 2864 wrote to memory of 2884 2864 booter.exe 33 PID 2864 wrote to memory of 2884 2864 booter.exe 33 PID 2864 wrote to memory of 2884 2864 booter.exe 33 PID 2864 wrote to memory of 2884 2864 booter.exe 33 PID 2884 wrote to memory of 2644 2884 booter.exe 34 PID 2884 wrote to memory of 2644 2884 booter.exe 34 PID 2884 wrote to memory of 2644 2884 booter.exe 34 PID 2884 wrote to memory of 2644 2884 booter.exe 34 PID 2644 wrote to memory of 2696 2644 booter.exe 35 PID 2644 wrote to memory of 2696 2644 booter.exe 35 PID 2644 wrote to memory of 2696 2644 booter.exe 35 PID 2644 wrote to memory of 2696 2644 booter.exe 35 PID 2696 wrote to memory of 1708 2696 booter.exe 36 PID 2696 wrote to memory of 1708 2696 booter.exe 36 PID 2696 wrote to memory of 1708 2696 booter.exe 36 PID 2696 wrote to memory of 1708 2696 booter.exe 36 PID 1708 wrote to memory of 2056 1708 booter.exe 37 PID 1708 wrote to memory of 2056 1708 booter.exe 37 PID 1708 wrote to memory of 2056 1708 booter.exe 37 PID 1708 wrote to memory of 2056 1708 booter.exe 37 PID 2056 wrote to memory of 2720 2056 booter.exe 38 PID 2056 wrote to memory of 2720 2056 booter.exe 38 PID 2056 wrote to memory of 2720 2056 booter.exe 38 PID 2056 wrote to memory of 2720 2056 booter.exe 38 PID 2720 wrote to memory of 448 2720 booter.exe 39 PID 2720 wrote to memory of 448 2720 booter.exe 39 PID 2720 wrote to memory of 448 2720 booter.exe 39 PID 2720 wrote to memory of 448 2720 booter.exe 39 PID 448 wrote to memory of 2908 448 booter.exe 40 PID 448 wrote to memory of 2908 448 booter.exe 40 PID 448 wrote to memory of 2908 448 booter.exe 40 PID 448 wrote to memory of 2908 448 booter.exe 40 PID 2908 wrote to memory of 528 2908 booter.exe 41 PID 2908 wrote to memory of 528 2908 booter.exe 41 PID 2908 wrote to memory of 528 2908 booter.exe 41 PID 2908 wrote to memory of 528 2908 booter.exe 41 PID 528 wrote to memory of 2640 528 booter.exe 42 PID 528 wrote to memory of 2640 528 booter.exe 42 PID 528 wrote to memory of 2640 528 booter.exe 42 PID 528 wrote to memory of 2640 528 booter.exe 42 PID 2640 wrote to memory of 2412 2640 booter.exe 114 PID 2640 wrote to memory of 2412 2640 booter.exe 114 PID 2640 wrote to memory of 2412 2640 booter.exe 114 PID 2640 wrote to memory of 2412 2640 booter.exe 114 PID 2412 wrote to memory of 2356 2412 booter.exe 44 PID 2412 wrote to memory of 2356 2412 booter.exe 44 PID 2412 wrote to memory of 2356 2412 booter.exe 44 PID 2412 wrote to memory of 2356 2412 booter.exe 44 PID 2356 wrote to memory of 2660 2356 booter.exe 45 PID 2356 wrote to memory of 2660 2356 booter.exe 45 PID 2356 wrote to memory of 2660 2356 booter.exe 45 PID 2356 wrote to memory of 2660 2356 booter.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2660 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2544 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2896 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3044 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3048 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2852 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1320 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2552 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2512 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1824 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2276 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2240 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1988 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1680 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2168 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1984 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe33⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe34⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe35⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe37⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe39⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe40⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe41⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe42⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe43⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe44⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe45⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe46⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe47⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe48⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe49⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe50⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe51⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe52⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe54⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe55⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe56⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe57⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe58⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe59⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe60⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe61⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe62⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe63⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe64⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe65⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe66⤵PID:1056
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe67⤵PID:1052
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe68⤵PID:880
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe69⤵PID:2200
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe70⤵PID:2020
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe71⤵PID:2488
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe72⤵PID:2984
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe73⤵PID:2224
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe74⤵PID:2712
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe75⤵PID:1676
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe76⤵PID:2704
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe77⤵PID:2812
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe78⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe79⤵PID:2708
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe80⤵PID:2568
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe81⤵PID:2220
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe82⤵PID:484
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe83⤵PID:448
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe84⤵PID:2252
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe85⤵PID:2128
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe86⤵PID:2412
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe87⤵PID:2116
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe88⤵PID:2660
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe89⤵
- Adds Run key to start application
PID:2924 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe90⤵PID:3036
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe91⤵PID:3032
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe92⤵PID:3048
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe93⤵PID:2932
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe94⤵PID:2764
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe95⤵PID:2564
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe96⤵PID:2916
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe97⤵PID:2276
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe98⤵PID:2240
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe99⤵PID:1988
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe100⤵PID:1680
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe101⤵PID:2168
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe102⤵PID:344
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe103⤵PID:1660
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe104⤵
- Adds Run key to start application
PID:1472 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe105⤵PID:2212
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe106⤵PID:1140
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe107⤵PID:552
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe108⤵PID:1480
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe109⤵PID:772
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe110⤵PID:2472
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe111⤵PID:1068
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe112⤵PID:2732
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe113⤵PID:1484
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe114⤵PID:1616
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe115⤵PID:2320
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe116⤵PID:1804
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe117⤵PID:572
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe118⤵PID:2728
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe119⤵PID:1508
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe120⤵PID:288
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe121⤵PID:2120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-