Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 06:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe
-
Size
210KB
-
MD5
ef45290762f90bfbe6f80c55489881db
-
SHA1
b783702176425a103409fe67acc4d75d57bf7dc5
-
SHA256
0d09307a388534d6930158a4be64ec1b974151484dd33a675d87659356288d68
-
SHA512
c5acade721ca9918d3329f0f94bb784592ef520639b47a6f03be36c8280fbf46a7be328ae4e8f6694179aad84da507e4b1fc86d7460e4672ee648952652078a0
-
SSDEEP
6144:yfGiQ6Hnv7Elgr6zYn2/77iI3xyhdOcqV+4:ylHAgd2KIzK4
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1472 diskdrive.exe 448 diskdrive.exe 4024 diskdrive.exe 264 diskdrive.exe 4356 diskdrive.exe 3940 diskdrive.exe 4896 diskdrive.exe 4564 diskdrive.exe 632 diskdrive.exe 2472 diskdrive.exe 992 diskdrive.exe 3944 diskdrive.exe 4700 diskdrive.exe 4424 diskdrive.exe 3948 diskdrive.exe 4224 diskdrive.exe 1392 diskdrive.exe 4376 diskdrive.exe 1100 diskdrive.exe 4808 diskdrive.exe 4036 diskdrive.exe 2432 diskdrive.exe 4880 diskdrive.exe 1288 diskdrive.exe 4956 diskdrive.exe 4404 diskdrive.exe 836 diskdrive.exe 3080 diskdrive.exe 2892 diskdrive.exe 4336 diskdrive.exe 3028 diskdrive.exe 4924 diskdrive.exe 4560 diskdrive.exe 1452 diskdrive.exe 1248 diskdrive.exe 3144 diskdrive.exe 3228 diskdrive.exe 4044 diskdrive.exe 4820 diskdrive.exe 4716 diskdrive.exe 2180 diskdrive.exe 2288 diskdrive.exe 3452 diskdrive.exe 4900 diskdrive.exe 2284 diskdrive.exe 4888 diskdrive.exe 5000 diskdrive.exe 4676 diskdrive.exe 4256 diskdrive.exe 4928 diskdrive.exe 2084 diskdrive.exe 4204 diskdrive.exe 4232 diskdrive.exe 4720 diskdrive.exe 2112 diskdrive.exe 1124 diskdrive.exe 1956 diskdrive.exe 1744 diskdrive.exe 4288 diskdrive.exe 2708 diskdrive.exe 3496 diskdrive.exe 3384 diskdrive.exe 320 diskdrive.exe 808 diskdrive.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" diskdrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Drive Full = "C:\\Windows\\system32\\diskdrive.exe" Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File opened for modification C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe Process not Found File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe File created C:\Windows\SysWOW64\diskdrive.exe diskdrive.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3316 wrote to memory of 1472 3316 ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe 84 PID 3316 wrote to memory of 1472 3316 ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe 84 PID 3316 wrote to memory of 1472 3316 ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe 84 PID 1472 wrote to memory of 448 1472 diskdrive.exe 85 PID 1472 wrote to memory of 448 1472 diskdrive.exe 85 PID 1472 wrote to memory of 448 1472 diskdrive.exe 85 PID 448 wrote to memory of 4024 448 diskdrive.exe 86 PID 448 wrote to memory of 4024 448 diskdrive.exe 86 PID 448 wrote to memory of 4024 448 diskdrive.exe 86 PID 4024 wrote to memory of 264 4024 diskdrive.exe 87 PID 4024 wrote to memory of 264 4024 diskdrive.exe 87 PID 4024 wrote to memory of 264 4024 diskdrive.exe 87 PID 264 wrote to memory of 4356 264 diskdrive.exe 88 PID 264 wrote to memory of 4356 264 diskdrive.exe 88 PID 264 wrote to memory of 4356 264 diskdrive.exe 88 PID 4356 wrote to memory of 3940 4356 diskdrive.exe 89 PID 4356 wrote to memory of 3940 4356 diskdrive.exe 89 PID 4356 wrote to memory of 3940 4356 diskdrive.exe 89 PID 3940 wrote to memory of 4896 3940 diskdrive.exe 90 PID 3940 wrote to memory of 4896 3940 diskdrive.exe 90 PID 3940 wrote to memory of 4896 3940 diskdrive.exe 90 PID 4896 wrote to memory of 4564 4896 diskdrive.exe 91 PID 4896 wrote to memory of 4564 4896 diskdrive.exe 91 PID 4896 wrote to memory of 4564 4896 diskdrive.exe 91 PID 4564 wrote to memory of 632 4564 diskdrive.exe 92 PID 4564 wrote to memory of 632 4564 diskdrive.exe 92 PID 4564 wrote to memory of 632 4564 diskdrive.exe 92 PID 632 wrote to memory of 2472 632 diskdrive.exe 93 PID 632 wrote to memory of 2472 632 diskdrive.exe 93 PID 632 wrote to memory of 2472 632 diskdrive.exe 93 PID 2472 wrote to memory of 992 2472 diskdrive.exe 94 PID 2472 wrote to memory of 992 2472 diskdrive.exe 94 PID 2472 wrote to memory of 992 2472 diskdrive.exe 94 PID 992 wrote to memory of 3944 992 diskdrive.exe 95 PID 992 wrote to memory of 3944 992 diskdrive.exe 95 PID 992 wrote to memory of 3944 992 diskdrive.exe 95 PID 3944 wrote to memory of 4700 3944 diskdrive.exe 96 PID 3944 wrote to memory of 4700 3944 diskdrive.exe 96 PID 3944 wrote to memory of 4700 3944 diskdrive.exe 96 PID 4700 wrote to memory of 4424 4700 diskdrive.exe 97 PID 4700 wrote to memory of 4424 4700 diskdrive.exe 97 PID 4700 wrote to memory of 4424 4700 diskdrive.exe 97 PID 4424 wrote to memory of 3948 4424 diskdrive.exe 98 PID 4424 wrote to memory of 3948 4424 diskdrive.exe 98 PID 4424 wrote to memory of 3948 4424 diskdrive.exe 98 PID 3948 wrote to memory of 4224 3948 diskdrive.exe 99 PID 3948 wrote to memory of 4224 3948 diskdrive.exe 99 PID 3948 wrote to memory of 4224 3948 diskdrive.exe 99 PID 4224 wrote to memory of 1392 4224 diskdrive.exe 100 PID 4224 wrote to memory of 1392 4224 diskdrive.exe 100 PID 4224 wrote to memory of 1392 4224 diskdrive.exe 100 PID 1392 wrote to memory of 4376 1392 diskdrive.exe 101 PID 1392 wrote to memory of 4376 1392 diskdrive.exe 101 PID 1392 wrote to memory of 4376 1392 diskdrive.exe 101 PID 4376 wrote to memory of 1100 4376 diskdrive.exe 102 PID 4376 wrote to memory of 1100 4376 diskdrive.exe 102 PID 4376 wrote to memory of 1100 4376 diskdrive.exe 102 PID 1100 wrote to memory of 4808 1100 diskdrive.exe 103 PID 1100 wrote to memory of 4808 1100 diskdrive.exe 103 PID 1100 wrote to memory of 4808 1100 diskdrive.exe 103 PID 4808 wrote to memory of 4036 4808 diskdrive.exe 104 PID 4808 wrote to memory of 4036 4808 diskdrive.exe 104 PID 4808 wrote to memory of 4036 4808 diskdrive.exe 104 PID 4036 wrote to memory of 2432 4036 diskdrive.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef45290762f90bfbe6f80c55489881db_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe23⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe24⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4880 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe25⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe26⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe27⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe28⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe29⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe30⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe31⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe32⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3028 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe33⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe34⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe35⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe36⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe37⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3144 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe38⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe39⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe40⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe41⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe42⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe43⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe44⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe45⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4900 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe46⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe47⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe48⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe49⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4256 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe51⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe52⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe53⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe54⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe55⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe56⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe57⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe58⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe59⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe60⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe61⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe63⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe64⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe65⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe66⤵PID:1052
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe67⤵PID:1460
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe68⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe69⤵PID:3756
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe70⤵PID:1832
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe71⤵PID:3104
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe72⤵PID:1684
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe73⤵PID:4400
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe74⤵
- Adds Run key to start application
PID:1064 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe75⤵PID:1568
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe76⤵PID:3120
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe77⤵PID:624
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe78⤵PID:2548
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe79⤵PID:3296
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe80⤵PID:5004
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe81⤵PID:2612
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe82⤵PID:880
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe83⤵PID:2080
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe84⤵PID:2988
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe85⤵PID:4296
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe86⤵PID:4592
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe87⤵PID:3036
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe88⤵PID:2836
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe89⤵PID:2980
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe90⤵
- System Location Discovery: System Language Discovery
PID:4476 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe91⤵
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe92⤵PID:3140
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe93⤵PID:4968
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe94⤵PID:1960
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe95⤵
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe96⤵PID:732
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe97⤵PID:1152
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe98⤵PID:936
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe99⤵PID:4464
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe100⤵PID:3280
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe101⤵PID:2328
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe102⤵
- Adds Run key to start application
PID:4000 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe103⤵PID:2500
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe104⤵PID:4916
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe105⤵PID:544
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe106⤵PID:1380
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe107⤵
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe108⤵PID:2376
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe109⤵PID:3536
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe110⤵PID:2132
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe111⤵PID:232
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe112⤵PID:4524
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe113⤵PID:1952
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe114⤵
- Adds Run key to start application
PID:5176 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe115⤵PID:5232
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe116⤵PID:5288
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe117⤵PID:5340
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe118⤵
- Drops file in System32 directory
PID:5400 -
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe119⤵PID:5428
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe120⤵PID:5460
-
C:\Windows\SysWOW64\diskdrive.exeC:\Windows\system32\diskdrive.exe121⤵PID:5496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-