06c4e26af9651f6320535a7005941a98da73d89644a5ae77efcc1a1aa9ceeea0

Analysis

max time kernel
147s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 04:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe
Size

489KB
MD5

38701b67a9cc4765449981a3dfb403a7
SHA1

e343f089ecf79efebb4a2cca8877f2a8565a9447
SHA256

06c4e26af9651f6320535a7005941a98da73d89644a5ae77efcc1a1aa9ceeea0
SHA512

8c4b1b305a05519c4d3263b959ed45e200bdc3604cc368830152b2e1d32559688531aefb00271fa923f73c970e79bef893a3b289c6890a5358cecef9f63d38dc
SSDEEP

12288:vBueX337e5brD1zO4O46vcfhhkHT1+X+pd167QhEQ:genK5bX1zcP4hkR+E6Eh

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	divxdrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PrinterSecurityLayer = "C:\\Windows\\LSPRN.EXE"	divxdrv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	LSPRN.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PrinterSecurityLayer = "C:\\Windows\\LSPRN.EXE"	LSPRN.EXE

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 8 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	LSPRN.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "0"	LSPRN.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	divxdrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "0"	divxdrv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	divxdrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "0"	divxdrv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	LSPRN.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "0"	LSPRN.EXE

Checks computer location settings 2 TTPs 55 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	divxdrv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	LSPRN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PRINTDRV.EXE

Executes dropped EXE 64 IoCs

pid	Process
2956	divxdrv32.exe
2612	PRINTDRV.EXE
3036	LSPRN.EXE
4156	PRINTDRV.EXE
1856	divxdrv32.exe
4148	PRINTDRV.EXE
5028	divxdrv32.exe
2952	PRINTDRV.EXE
528	divxdrv32.exe
1252	PRINTDRV.EXE
4396	divxdrv32.exe
2508	PRINTDRV.EXE
784	divxdrv32.exe
2188	PRINTDRV.EXE
5048	divxdrv32.exe
2364	PRINTDRV.EXE
4872	divxdrv32.exe
1428	PRINTDRV.EXE
1020	divxdrv32.exe
3656	PRINTDRV.EXE
1788	divxdrv32.exe
1476	PRINTDRV.EXE
1340	divxdrv32.exe
4408	PRINTDRV.EXE
3972	divxdrv32.exe
2656	PRINTDRV.EXE
2200	divxdrv32.exe
2328	PRINTDRV.EXE
1120	divxdrv32.exe
4108	PRINTDRV.EXE
2808	divxdrv32.exe
1880	PRINTDRV.EXE
2368	divxdrv32.exe
684	PRINTDRV.EXE
2704	divxdrv32.exe
4100	PRINTDRV.EXE
4528	divxdrv32.exe
1988	PRINTDRV.EXE
3540	divxdrv32.exe
4312	PRINTDRV.EXE
1084	divxdrv32.exe
528	PRINTDRV.EXE
4376	divxdrv32.exe
4396	PRINTDRV.EXE
784	divxdrv32.exe
1504	PRINTDRV.EXE
2676	divxdrv32.exe
3384	PRINTDRV.EXE
2084	divxdrv32.exe
3328	PRINTDRV.EXE
4876	divxdrv32.exe
1276	PRINTDRV.EXE
3892	divxdrv32.exe
1916	PRINTDRV.EXE
4532	divxdrv32.exe
4240	PRINTDRV.EXE
1028	divxdrv32.exe
4444	PRINTDRV.EXE
3432	divxdrv32.exe
2312	PRINTDRV.EXE
3308	divxdrv32.exe
1540	PRINTDRV.EXE
1684	divxdrv32.exe
4200	PRINTDRV.EXE

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	LSPRN.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	divxdrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	PRINTDRV.EXE

Drops file in System32 directory 55 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File created	C:\Windows\SysWOW64\PRINTDRV.EXE	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\divxdrv32.exe	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File created	C:\Windows\SysWOW64\39upd.dll	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE
File opened for modification	C:\Windows\SysWOW64\39upd.dll	PRINTDRV.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\shapi32.dll	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe
File created	C:\Windows\LSPRN.EXE	divxdrv32.exe
File opened for modification	C:\Windows\LSPRN.EXE	divxdrv32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSPRN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	divxdrv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRINTDRV.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck = "1"	divxdrv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\	divxdrv32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	divxdrv32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck = "1"	LSPRN.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\	LSPRN.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	LSPRN.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 2956	5032	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe	86
PID 5032 wrote to memory of 2956	5032	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe	86
PID 5032 wrote to memory of 2956	5032	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe	86
PID 5032 wrote to memory of 2612	5032	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe	87
PID 5032 wrote to memory of 2612	5032	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe	87
PID 5032 wrote to memory of 2612	5032	38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe	87
PID 2956 wrote to memory of 3036	2956	divxdrv32.exe	88
PID 2956 wrote to memory of 3036	2956	divxdrv32.exe	88
PID 2956 wrote to memory of 3036	2956	divxdrv32.exe	88
PID 3036 wrote to memory of 4156	3036	LSPRN.EXE	89
PID 3036 wrote to memory of 4156	3036	LSPRN.EXE	89
PID 3036 wrote to memory of 4156	3036	LSPRN.EXE	89
PID 2612 wrote to memory of 1856	2612	PRINTDRV.EXE	90
PID 2612 wrote to memory of 1856	2612	PRINTDRV.EXE	90
PID 2612 wrote to memory of 1856	2612	PRINTDRV.EXE	90
PID 2612 wrote to memory of 4148	2612	PRINTDRV.EXE	91
PID 2612 wrote to memory of 4148	2612	PRINTDRV.EXE	91
PID 2612 wrote to memory of 4148	2612	PRINTDRV.EXE	91
PID 4156 wrote to memory of 5028	4156	PRINTDRV.EXE	92
PID 4156 wrote to memory of 5028	4156	PRINTDRV.EXE	92
PID 4156 wrote to memory of 5028	4156	PRINTDRV.EXE	92
PID 4156 wrote to memory of 2952	4156	PRINTDRV.EXE	93
PID 4156 wrote to memory of 2952	4156	PRINTDRV.EXE	93
PID 4156 wrote to memory of 2952	4156	PRINTDRV.EXE	93
PID 4148 wrote to memory of 528	4148	PRINTDRV.EXE	94
PID 4148 wrote to memory of 528	4148	PRINTDRV.EXE	94
PID 4148 wrote to memory of 528	4148	PRINTDRV.EXE	94
PID 4148 wrote to memory of 1252	4148	PRINTDRV.EXE	95
PID 4148 wrote to memory of 1252	4148	PRINTDRV.EXE	95
PID 4148 wrote to memory of 1252	4148	PRINTDRV.EXE	95
PID 2952 wrote to memory of 4396	2952	PRINTDRV.EXE	96
PID 2952 wrote to memory of 4396	2952	PRINTDRV.EXE	96
PID 2952 wrote to memory of 4396	2952	PRINTDRV.EXE	96
PID 2952 wrote to memory of 2508	2952	PRINTDRV.EXE	97
PID 2952 wrote to memory of 2508	2952	PRINTDRV.EXE	97
PID 2952 wrote to memory of 2508	2952	PRINTDRV.EXE	97
PID 1252 wrote to memory of 784	1252	PRINTDRV.EXE	98
PID 1252 wrote to memory of 784	1252	PRINTDRV.EXE	98
PID 1252 wrote to memory of 784	1252	PRINTDRV.EXE	98
PID 1252 wrote to memory of 2188	1252	PRINTDRV.EXE	99
PID 1252 wrote to memory of 2188	1252	PRINTDRV.EXE	99
PID 1252 wrote to memory of 2188	1252	PRINTDRV.EXE	99
PID 2508 wrote to memory of 5048	2508	PRINTDRV.EXE	100
PID 2508 wrote to memory of 5048	2508	PRINTDRV.EXE	100
PID 2508 wrote to memory of 5048	2508	PRINTDRV.EXE	100
PID 2508 wrote to memory of 2364	2508	PRINTDRV.EXE	101
PID 2508 wrote to memory of 2364	2508	PRINTDRV.EXE	101
PID 2508 wrote to memory of 2364	2508	PRINTDRV.EXE	101
PID 2188 wrote to memory of 4872	2188	PRINTDRV.EXE	102
PID 2188 wrote to memory of 4872	2188	PRINTDRV.EXE	102
PID 2188 wrote to memory of 4872	2188	PRINTDRV.EXE	102
PID 2188 wrote to memory of 1428	2188	PRINTDRV.EXE	103
PID 2188 wrote to memory of 1428	2188	PRINTDRV.EXE	103
PID 2188 wrote to memory of 1428	2188	PRINTDRV.EXE	103
PID 2364 wrote to memory of 1020	2364	PRINTDRV.EXE	104
PID 2364 wrote to memory of 1020	2364	PRINTDRV.EXE	104
PID 2364 wrote to memory of 1020	2364	PRINTDRV.EXE	104
PID 2364 wrote to memory of 3656	2364	PRINTDRV.EXE	105
PID 2364 wrote to memory of 3656	2364	PRINTDRV.EXE	105
PID 2364 wrote to memory of 3656	2364	PRINTDRV.EXE	105
PID 1428 wrote to memory of 1788	1428	PRINTDRV.EXE	109
PID 1428 wrote to memory of 1788	1428	PRINTDRV.EXE	109
PID 1428 wrote to memory of 1788	1428	PRINTDRV.EXE	109
PID 1428 wrote to memory of 1476	1428	PRINTDRV.EXE	110

C:\Users\Admin\AppData\Local\Temp\38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38701b67a9cc4765449981a3dfb403a7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\divxdrv32.exe
  "C:\Windows\system32\divxdrv32.exe"
  2⤵
  - Adds policy Run key to start application
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\LSPRN.EXE
    "C:\Windows\LSPRN.EXE"
    3⤵
    - Adds policy Run key to start application
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\PRINTDRV.EXE
      "C:\Windows\system32\PRINTDRV.EXE"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4156
    - - C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        5⤵
        Executes dropped EXE
        
        PID:5028
    - - C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        6⤵
        Executes dropped EXE
        
        PID:4396
      - C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        7⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        8⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        9⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        10⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        11⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        12⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        13⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        14⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        15⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        16⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        17⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        18⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        19⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        20⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        20⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        21⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        21⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        22⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        22⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        23⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        23⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        24⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        24⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        25⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        25⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        26⤵
        
        PID:924
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        26⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        27⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        27⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        28⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        28⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        29⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        29⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        30⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
- C:\Windows\SysWOW64\PRINTDRV.EXE
  "C:\Windows\system32\PRINTDRV.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\divxdrv32.exe
    "C:\Windows\system32\divxdrv32.exe"
    3⤵
    - Executes dropped EXE
    PID:1856
- - C:\Windows\SysWOW64\PRINTDRV.EXE
    "C:\Windows\system32\PRINTDRV.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\divxdrv32.exe
      "C:\Windows\system32\divxdrv32.exe"
      4⤵
      Executes dropped EXE
      PID:528
  - - C:\Windows\SysWOW64\PRINTDRV.EXE
      "C:\Windows\system32\PRINTDRV.EXE"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        5⤵
        Executes dropped EXE
        
        PID:784
    - - C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        6⤵
        Executes dropped EXE
        
        PID:4872
      - C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        7⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        8⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        9⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        10⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        11⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        12⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        13⤵
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        14⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        15⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        16⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        17⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        18⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        18⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        19⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        19⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        20⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        20⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        21⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        21⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        22⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        22⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        23⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        23⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        24⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        24⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        25⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        25⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        26⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        26⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        27⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        27⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\divxdrv32.exe
        
        "C:\Windows\system32\divxdrv32.exe"
        28⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\PRINTDRV.EXE
        
        "C:\Windows\system32\PRINTDRV.EXE"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PRINTDRV.EXE

Filesize
489KB

MD5
df336bbfe24fbc29a6382947c4debd11

SHA1
54eb3d138d83f889dbfd1a7edc15099323e4e52b

SHA256
cbe3f4f48c0a46bdb49877a0c912f46922c20ec0b6d1dd2fbe3a9833e1fd5e0c

SHA512
0576931b8b9eec2b5297c7929c3720f32d655d9e6f9955e1a372acb013137f76e855f6fc967fb35a19de4b5c81e35ac864691d161789d2ae20d4cff15491a052

Download Submit
C:\Windows\SysWOW64\divxdrv32.exe

Filesize
16KB

MD5
a060cf1c63ef1e583e7dd9c336bd81cb

SHA1
eb203fc1ffa56b52d4dfe7493dfda55ae471471e

SHA256
e82e90ae1dbab86485716a4d50c3d0119d1cd25e69ba47c03bc48084fea25d95

SHA512
042ab78b752ae93bc6abc488989058287322878b848ae7e9859a041a3f658d287fe2207e8881fefae270de890c92f04a114da9deb2c5f0fa1c54f30eb52795af

Download Submit
memory/528-91-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/684-79-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1252-43-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1276-106-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1428-55-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1444-124-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1476-61-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1504-97-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1540-116-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1548-134-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1556-135-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1880-76-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1912-120-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1916-109-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1940-132-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1988-85-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2052-129-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2076-137-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2148-130-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2188-49-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2312-115-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2328-70-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2364-52-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2508-46-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2612-31-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2612-20-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2656-67-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2812-136-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2820-128-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2952-40-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3008-118-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3244-133-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3328-103-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3384-100-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3656-58-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3764-121-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3848-122-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3996-123-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4064-125-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4100-82-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4108-73-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4148-37-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4156-34-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4200-117-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4240-112-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4312-88-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4396-94-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4408-64-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4444-114-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4540-126-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4892-127-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4948-131-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4988-119-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5032-0-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/5032-19-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads