Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 06:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe
-
Size
210KB
-
MD5
ef45290762f90bfbe6f80c55489881db
-
SHA1
b783702176425a103409fe67acc4d75d57bf7dc5
-
SHA256
0d09307a388534d6930158a4be64ec1b974151484dd33a675d87659356288d68
-
SHA512
c5acade721ca9918d3329f0f94bb784592ef520639b47a6f03be36c8280fbf46a7be328ae4e8f6694179aad84da507e4b1fc86d7460e4672ee648952652078a0
-
SSDEEP
6144:yfGiQ6Hnv7Elgr6zYn2/77iI3xyhdOcqV+4:ylHAgd2KIzK4
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2692 diskdrive.exe 2524 diskdrive.exe 2788 diskdrive.exe 2480 diskdrive.exe 2888 diskdrive.exe 2732 diskdrive.exe 2724 diskdrive.exe 2848 diskdrive.exe 2772 diskdrive.exe 2640 diskdrive.exe 2340 diskdrive.exe 2384 diskdrive.exe 2968 diskdrive.exe 2980 diskdrive.exe 1996 diskdrive.exe 2596 diskdrive.exe 2696 diskdrive.exe 3020 diskdrive.exe 2704 diskdrive.exe 1864 diskdrive.exe 1476 diskdrive.exe 536 diskdrive.exe 1648 diskdrive.exe 448 diskdrive.exe 2268 diskdrive.exe 1060 diskdrive.exe 1784 diskdrive.exe 1772 diskdrive.exe 396 diskdrive.exe 1756 diskdrive.exe 1584 diskdrive.exe 556 diskdrive.exe 2324 diskdrive.exe 2284 diskdrive.exe 2424 diskdrive.exe 484 diskdrive.exe 580 diskdrive.exe 2224 diskdrive.exe 852 diskdrive.exe 1768 diskdrive.exe 2348 diskdrive.exe 1600 diskdrive.exe 2420 diskdrive.exe 1936 diskdrive.exe 1680 diskdrive.exe 2756 diskdrive.exe 1588 diskdrive.exe 2736 diskdrive.exe 2240 diskdrive.exe 828 diskdrive.exe 2572 diskdrive.exe 2432 diskdrive.exe 2924 diskdrive.exe 1300 diskdrive.exe 3060 diskdrive.exe 2764 diskdrive.exe 2728 diskdrive.exe 2644 diskdrive.exe 2156 diskdrive.exe 2708 diskdrive.exe 2744 diskdrive.exe 2984 diskdrive.exe 2672 diskdrive.exe 2836 diskdrive.exe -
Loads dropped DLL 64 IoCs
pid Process 1744 ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe 1744 ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe 2692 diskdrive.exe 2692 diskdrive.exe 2524 diskdrive.exe 2524 diskdrive.exe 2788 diskdrive.exe 2788 diskdrive.exe 2480 diskdrive.exe 2480 diskdrive.exe 2888 diskdrive.exe 2888 diskdrive.exe 2732 diskdrive.exe 2732 diskdrive.exe 2724 diskdrive.exe 2724 diskdrive.exe 2848 diskdrive.exe 2848 diskdrive.exe 2772 diskdrive.exe 2772 diskdrive.exe 2640 diskdrive.exe 2640 diskdrive.exe 2340 diskdrive.exe 2340 diskdrive.exe 2384 diskdrive.exe 2384 diskdrive.exe 2968 diskdrive.exe 2968 diskdrive.exe 2980 diskdrive.exe 2980 diskdrive.exe 1996 diskdrive.exe 1996 diskdrive.exe 2596 diskdrive.exe 2596 diskdrive.exe 2696 diskdrive.exe 2696 diskdrive.exe 3020 diskdrive.exe 3020 diskdrive.exe 2704 diskdrive.exe 2704 diskdrive.exe 1864 diskdrive.exe 1864 diskdrive.exe 1476 diskdrive.exe 1476 diskdrive.exe 536 diskdrive.exe 536 diskdrive.exe 1648 diskdrive.exe 1648 diskdrive.exe 448 diskdrive.exe 448 diskdrive.exe 2268 diskdrive.exe 2268 diskdrive.exe 1060 diskdrive.exe 1060 diskdrive.exe 1784 diskdrive.exe 1784 diskdrive.exe 1772 diskdrive.exe 1772 diskdrive.exe 396 diskdrive.exe 396 diskdrive.exe 1756 diskdrive.exe 1756 diskdrive.exe 1584 diskdrive.exe 1584 diskdrive.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2692 1744 ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe 30 PID 1744 wrote to memory of 2692 1744 ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe 30 PID 1744 wrote to memory of 2692 1744 ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe 30 PID 1744 wrote to memory of 2692 1744 ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe 30 PID 2692 wrote to memory of 2524 2692 diskdrive.exe 31 PID 2692 wrote to memory of 2524 2692 diskdrive.exe 31 PID 2692 wrote to memory of 2524 2692 diskdrive.exe 31 PID 2692 wrote to memory of 2524 2692 diskdrive.exe 31 PID 2524 wrote to memory of 2788 2524 diskdrive.exe 32 PID 2524 wrote to memory of 2788 2524 diskdrive.exe 32 PID 2524 wrote to memory of 2788 2524 diskdrive.exe 32 PID 2524 wrote to memory of 2788 2524 diskdrive.exe 32 PID 2788 wrote to memory of 2480 2788 diskdrive.exe 33 PID 2788 wrote to memory of 2480 2788 diskdrive.exe 33 PID 2788 wrote to memory of 2480 2788 diskdrive.exe 33 PID 2788 wrote to memory of 2480 2788 diskdrive.exe 33 PID 2480 wrote to memory of 2888 2480 diskdrive.exe 34 PID 2480 wrote to memory of 2888 2480 diskdrive.exe 34 PID 2480 wrote to memory of 2888 2480 diskdrive.exe 34 PID 2480 wrote to memory of 2888 2480 diskdrive.exe 34 PID 2888 wrote to memory of 2732 2888 diskdrive.exe 35 PID 2888 wrote to memory of 2732 2888 diskdrive.exe 35 PID 2888 wrote to memory of 2732 2888 diskdrive.exe 35 PID 2888 wrote to memory of 2732 2888 diskdrive.exe 35 PID 2732 wrote to memory of 2724 2732 diskdrive.exe 36 PID 2732 wrote to memory of 2724 2732 diskdrive.exe 36 PID 2732 wrote to memory of 2724 2732 diskdrive.exe 36 PID 2732 wrote to memory of 2724 2732 diskdrive.exe 36 PID 2724 wrote to memory of 2848 2724 diskdrive.exe 37 PID 2724 wrote to memory of 2848 2724 diskdrive.exe 37 PID 2724 wrote to memory of 2848 2724 diskdrive.exe 37 PID 2724 wrote to memory of 2848 2724 diskdrive.exe 37 PID 2848 wrote to memory of 2772 2848 diskdrive.exe 38 PID 2848 wrote to memory of 2772 2848 diskdrive.exe 38 PID 2848 wrote to memory of 2772 2848 diskdrive.exe 38 PID 2848 wrote to memory of 2772 2848 diskdrive.exe 38 PID 2772 wrote to memory of 2640 2772 diskdrive.exe 39 PID 2772 wrote to memory of 2640 2772 diskdrive.exe 39 PID 2772 wrote to memory of 2640 2772 diskdrive.exe 39 PID 2772 wrote to memory of 2640 2772 diskdrive.exe 39 PID 2640 wrote to memory of 2340 2640 diskdrive.exe 40 PID 2640 wrote to memory of 2340 2640 diskdrive.exe 40 PID 2640 wrote to memory of 2340 2640 diskdrive.exe 40 PID 2640 wrote to memory of 2340 2640 diskdrive.exe 40 PID 2340 wrote to memory of 2384 2340 diskdrive.exe 41 PID 2340 wrote to memory of 2384 2340 diskdrive.exe 41 PID 2340 wrote to memory of 2384 2340 diskdrive.exe 41 PID 2340 wrote to memory of 2384 2340 diskdrive.exe 41 PID 2384 wrote to memory of 2968 2384 diskdrive.exe 42 PID 2384 wrote to memory of 2968 2384 diskdrive.exe 42 PID 2384 wrote to memory of 2968 2384 diskdrive.exe 42 PID 2384 wrote to memory of 2968 2384 diskdrive.exe 42 PID 2968 wrote to memory of 2980 2968 diskdrive.exe 43 PID 2968 wrote to memory of 2980 2968 diskdrive.exe 43 PID 2968 wrote to memory of 2980 2968 diskdrive.exe 43 PID 2968 wrote to memory of 2980 2968 diskdrive.exe 43 PID 2980 wrote to memory of 1996 2980 diskdrive.exe 44 PID 2980 wrote to memory of 1996 2980 diskdrive.exe 44 PID 2980 wrote to memory of 1996 2980 diskdrive.exe 44 PID 2980 wrote to memory of 1996 2980 diskdrive.exe 44 PID 1996 wrote to memory of 2596 1996 diskdrive.exe 45 PID 1996 wrote to memory of 2596 1996 diskdrive.exe 45 PID 1996 wrote to memory of 2596 1996 diskdrive.exe 45 PID 1996 wrote to memory of 2596 1996 diskdrive.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe33⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe34⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe35⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe36⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe37⤵
- Executes dropped EXE
- Adds Run key to start application
PID:484 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe38⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe39⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe40⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe41⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe42⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe45⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe46⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe47⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe48⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe49⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe50⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe51⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe52⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe53⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe54⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe55⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe56⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe57⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe58⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe59⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe60⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe61⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe62⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe63⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe64⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe65⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2836 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe66⤵PID:2932
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe67⤵PID:1100
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe68⤵PID:1704
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe69⤵PID:2820
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe70⤵PID:1644
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe71⤵PID:2964
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe72⤵PID:2076
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe73⤵PID:2780
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe74⤵PID:2664
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe75⤵PID:604
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe76⤵PID:2624
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe77⤵PID:724
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe78⤵PID:1872
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe79⤵PID:2592
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe80⤵PID:2152
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe81⤵PID:1932
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe82⤵PID:2976
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe83⤵PID:2460
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe84⤵PID:2108
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe85⤵PID:2364
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe86⤵PID:2876
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe87⤵PID:3004
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe88⤵PID:2080
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe89⤵PID:608
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe90⤵PID:2856
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe91⤵PID:1320
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe92⤵PID:2960
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe93⤵PID:2684
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe94⤵PID:2996
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe95⤵PID:944
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe96⤵PID:348
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe97⤵PID:1992
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe98⤵PID:316
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe99⤵PID:1392
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe100⤵PID:1552
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe101⤵PID:2228
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe102⤵PID:1580
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe103⤵PID:1948
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe104⤵PID:1696
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe105⤵PID:1708
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe106⤵PID:1700
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe107⤵PID:792
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe108⤵PID:1544
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe109⤵PID:1724
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe110⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe111⤵PID:2400
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe112⤵PID:2416
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe113⤵PID:2436
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe114⤵PID:2456
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe115⤵PID:552
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe116⤵PID:1504
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe117⤵PID:2380
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe118⤵PID:2012
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe119⤵PID:1220
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe120⤵
- Adds Run key to start application
PID:560 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe121⤵PID:2216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-