Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 05:03
Behavioral task
behavioral1
Sample
d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe
-
Size
186KB
-
MD5
d55f2c86aa37481e890c2ae73e0d0776
-
SHA1
a2b912d05735877e2f36251d89b914d1c2ad9aa6
-
SHA256
0db33a2a637c0bbad563c80db60ce59c68a8af018fe39aa5042e85308cfbf29c
-
SHA512
c3cbc9972ffc0a779b53c7fec715d57435e2250234e0fc652fd24a4c26b1a122a69b4dc043258a09a07f17fc3894191140f62a43e7ed3cbde03e25083b6643b5
-
SSDEEP
3072:5tzHS0RyWuX3xNHz+3IhuYa13atOstcAf47EkKtFpLG5A5Xw8KCHvkxKcyJvOXIj:zLTSvHDuYa1IcAP1FEUcyJWXe9
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 64 IoCs
resource yara_rule behavioral2/files/0x000a000000023c4f-2.dat modiloader_stage2 behavioral2/memory/3668-4-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4656-6-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2580-8-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3276-10-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1984-12-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4812-15-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4176-17-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2572-18-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3988-22-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3136-21-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1212-24-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3140-26-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2440-29-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1280-30-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2340-32-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1788-34-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4240-36-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/536-38-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/972-41-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3752-47-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/100-45-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4496-43-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3248-51-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1460-53-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3576-55-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1820-57-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1120-49-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2396-59-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3764-60-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4780-62-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4992-64-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/960-66-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2588-68-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1828-73-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2184-74-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4892-79-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3324-81-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4388-82-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4144-87-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2300-94-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1220-93-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1196-91-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1576-89-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2816-84-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4140-77-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4520-70-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2136-97-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3972-98-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/996-100-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3580-103-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3148-105-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3320-106-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4348-109-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1988-110-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4352-112-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/1328-115-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4428-117-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2276-118-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/3308-120-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4760-122-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/924-124-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/2100-127-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 behavioral2/memory/4936-128-0x0000000000400000-0x0000000000434000-memory.dmp modiloader_stage2 -
Executes dropped EXE 64 IoCs
pid Process 4656 booter.exe 2580 booter.exe 3276 booter.exe 1984 booter.exe 4812 booter.exe 4176 booter.exe 2572 booter.exe 3136 booter.exe 3988 booter.exe 1212 booter.exe 3140 booter.exe 2440 booter.exe 1280 booter.exe 2340 booter.exe 1788 booter.exe 4240 booter.exe 536 booter.exe 972 booter.exe 4496 booter.exe 100 booter.exe 3752 booter.exe 1120 booter.exe 3248 booter.exe 1460 booter.exe 3576 booter.exe 1820 booter.exe 2396 booter.exe 3764 booter.exe 4780 booter.exe 4992 booter.exe 960 booter.exe 2588 booter.exe 4520 booter.exe 1828 booter.exe 2184 booter.exe 4140 booter.exe 4892 booter.exe 3324 booter.exe 4388 booter.exe 2816 booter.exe 4144 booter.exe 1576 booter.exe 1196 booter.exe 1220 booter.exe 2300 booter.exe 2136 booter.exe 3972 booter.exe 996 booter.exe 3580 booter.exe 3148 booter.exe 3320 booter.exe 4348 booter.exe 1988 booter.exe 4352 booter.exe 1328 booter.exe 4428 booter.exe 2276 booter.exe 3308 booter.exe 4760 booter.exe 924 booter.exe 2100 booter.exe 4936 booter.exe 4028 booter.exe 3044 booter.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" booter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system rebooter = "C:\\Windows\\system32\\booter.exe" Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe booter.exe File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found File created C:\Windows\SysWOW64\booter.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3668 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 3668 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 4656 booter.exe 4656 booter.exe 2580 booter.exe 2580 booter.exe 3276 booter.exe 3276 booter.exe 1984 booter.exe 1984 booter.exe 4812 booter.exe 4812 booter.exe 4176 booter.exe 4176 booter.exe 2572 booter.exe 2572 booter.exe 3136 booter.exe 3136 booter.exe 3988 booter.exe 3988 booter.exe 1212 booter.exe 1212 booter.exe 3140 booter.exe 3140 booter.exe 2440 booter.exe 2440 booter.exe 1280 booter.exe 1280 booter.exe 2340 booter.exe 2340 booter.exe 1788 booter.exe 1788 booter.exe 4240 booter.exe 4240 booter.exe 536 booter.exe 536 booter.exe 972 booter.exe 972 booter.exe 4496 booter.exe 4496 booter.exe 100 booter.exe 100 booter.exe 3752 booter.exe 3752 booter.exe 1120 booter.exe 1120 booter.exe 3248 booter.exe 3248 booter.exe 1460 booter.exe 1460 booter.exe 3576 booter.exe 3576 booter.exe 1820 booter.exe 1820 booter.exe 2396 booter.exe 2396 booter.exe 3764 booter.exe 3764 booter.exe 4780 booter.exe 4780 booter.exe 4992 booter.exe 4992 booter.exe 960 booter.exe 960 booter.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3668 wrote to memory of 4656 3668 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 82 PID 3668 wrote to memory of 4656 3668 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 82 PID 3668 wrote to memory of 4656 3668 d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe 82 PID 4656 wrote to memory of 2580 4656 booter.exe 83 PID 4656 wrote to memory of 2580 4656 booter.exe 83 PID 4656 wrote to memory of 2580 4656 booter.exe 83 PID 2580 wrote to memory of 3276 2580 booter.exe 84 PID 2580 wrote to memory of 3276 2580 booter.exe 84 PID 2580 wrote to memory of 3276 2580 booter.exe 84 PID 3276 wrote to memory of 1984 3276 booter.exe 85 PID 3276 wrote to memory of 1984 3276 booter.exe 85 PID 3276 wrote to memory of 1984 3276 booter.exe 85 PID 1984 wrote to memory of 4812 1984 booter.exe 86 PID 1984 wrote to memory of 4812 1984 booter.exe 86 PID 1984 wrote to memory of 4812 1984 booter.exe 86 PID 4812 wrote to memory of 4176 4812 booter.exe 87 PID 4812 wrote to memory of 4176 4812 booter.exe 87 PID 4812 wrote to memory of 4176 4812 booter.exe 87 PID 4176 wrote to memory of 2572 4176 booter.exe 88 PID 4176 wrote to memory of 2572 4176 booter.exe 88 PID 4176 wrote to memory of 2572 4176 booter.exe 88 PID 2572 wrote to memory of 3136 2572 booter.exe 89 PID 2572 wrote to memory of 3136 2572 booter.exe 89 PID 2572 wrote to memory of 3136 2572 booter.exe 89 PID 3136 wrote to memory of 3988 3136 booter.exe 90 PID 3136 wrote to memory of 3988 3136 booter.exe 90 PID 3136 wrote to memory of 3988 3136 booter.exe 90 PID 3988 wrote to memory of 1212 3988 booter.exe 91 PID 3988 wrote to memory of 1212 3988 booter.exe 91 PID 3988 wrote to memory of 1212 3988 booter.exe 91 PID 1212 wrote to memory of 3140 1212 booter.exe 92 PID 1212 wrote to memory of 3140 1212 booter.exe 92 PID 1212 wrote to memory of 3140 1212 booter.exe 92 PID 3140 wrote to memory of 2440 3140 booter.exe 93 PID 3140 wrote to memory of 2440 3140 booter.exe 93 PID 3140 wrote to memory of 2440 3140 booter.exe 93 PID 2440 wrote to memory of 1280 2440 booter.exe 94 PID 2440 wrote to memory of 1280 2440 booter.exe 94 PID 2440 wrote to memory of 1280 2440 booter.exe 94 PID 1280 wrote to memory of 2340 1280 booter.exe 95 PID 1280 wrote to memory of 2340 1280 booter.exe 95 PID 1280 wrote to memory of 2340 1280 booter.exe 95 PID 2340 wrote to memory of 1788 2340 booter.exe 96 PID 2340 wrote to memory of 1788 2340 booter.exe 96 PID 2340 wrote to memory of 1788 2340 booter.exe 96 PID 1788 wrote to memory of 4240 1788 booter.exe 97 PID 1788 wrote to memory of 4240 1788 booter.exe 97 PID 1788 wrote to memory of 4240 1788 booter.exe 97 PID 4240 wrote to memory of 536 4240 booter.exe 98 PID 4240 wrote to memory of 536 4240 booter.exe 98 PID 4240 wrote to memory of 536 4240 booter.exe 98 PID 536 wrote to memory of 972 536 booter.exe 99 PID 536 wrote to memory of 972 536 booter.exe 99 PID 536 wrote to memory of 972 536 booter.exe 99 PID 972 wrote to memory of 4496 972 booter.exe 100 PID 972 wrote to memory of 4496 972 booter.exe 100 PID 972 wrote to memory of 4496 972 booter.exe 100 PID 4496 wrote to memory of 100 4496 booter.exe 101 PID 4496 wrote to memory of 100 4496 booter.exe 101 PID 4496 wrote to memory of 100 4496 booter.exe 101 PID 100 wrote to memory of 3752 100 booter.exe 102 PID 100 wrote to memory of 3752 100 booter.exe 102 PID 100 wrote to memory of 3752 100 booter.exe 102 PID 3752 wrote to memory of 1120 3752 booter.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d55f2c86aa37481e890c2ae73e0d0776_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1120 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3248 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1460 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3576 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1820 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2396 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3764 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4780 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4992 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:960 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe33⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe34⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe35⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe36⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe37⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe38⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3324 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe40⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe41⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe42⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe43⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe44⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe45⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe46⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe47⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe48⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe49⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe50⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe51⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe52⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe53⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe54⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe55⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe56⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe57⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe58⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe59⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe60⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe61⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe62⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe63⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe64⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe65⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe66⤵PID:2296
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe67⤵PID:1388
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe68⤵PID:704
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe69⤵PID:4368
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe70⤵PID:1864
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe71⤵PID:3668
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe72⤵PID:4656
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe73⤵PID:464
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe74⤵PID:3404
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe75⤵PID:5116
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe76⤵PID:384
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe77⤵PID:4812
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe78⤵PID:4176
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe79⤵PID:4228
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe80⤵PID:1440
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe81⤵PID:4396
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe82⤵PID:4940
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe83⤵PID:3684
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe84⤵PID:2156
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe85⤵PID:456
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe86⤵PID:1216
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe87⤵PID:3212
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe88⤵PID:2452
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe89⤵PID:2340
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe90⤵PID:3256
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe91⤵PID:1476
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe92⤵PID:5008
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe93⤵PID:832
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe94⤵PID:3280
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe95⤵PID:3004
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe96⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe97⤵PID:3824
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe98⤵PID:4596
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe99⤵PID:4052
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe100⤵PID:1960
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe101⤵PID:4836
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe102⤵PID:3576
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe103⤵PID:3768
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe104⤵PID:2396
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe105⤵PID:3764
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe106⤵PID:1124
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe107⤵PID:4900
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe108⤵PID:3740
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe109⤵PID:1404
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe110⤵PID:448
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe111⤵PID:720
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe112⤵PID:1828
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe113⤵PID:2184
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe114⤵
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe115⤵PID:836
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe116⤵PID:2844
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe117⤵PID:344
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe118⤵PID:1900
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe119⤵PID:3108
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe120⤵PID:1068
-
C:\Windows\SysWOW64\booter.exeC:\Windows\system32\booter.exe121⤵PID:2176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-