Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 15:35
Static task
static1
Behavioral task
behavioral1
Sample
27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe
-
Size
220KB
-
MD5
27017a553fdedfb67e2955cc6990c645
-
SHA1
5468af808f5436ed3530d56b6b838dadbc53ff0d
-
SHA256
ef37c53930298403b1ca65c4fbadbfbdd530543b020adef40e58bd4ef02b6737
-
SHA512
c839aceb38236dfb573f51c631c39442af3e8fff563457028c8aecb29f197d558e616fa98be1b619e9336e97ea0900c404d94df9e47e96f67c12a22ba2c350ef
-
SSDEEP
3072:lcCUEATLiAFD7iObfcAtmmrMWsJAr2VZB6/iE5ZKUYVBWbNPJY1o22NsEjLLYNdS:+REA/F3OAaVZB66E5Zjy8NwIsSwS
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2740 igfxsk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2636 igfxsk32.exe 2740 igfxsk32.exe 3020 igfxsk32.exe 448 igfxsk32.exe 1776 igfxsk32.exe 2956 igfxsk32.exe 2584 igfxsk32.exe 2180 igfxsk32.exe 2336 igfxsk32.exe 280 igfxsk32.exe 2216 igfxsk32.exe 2004 igfxsk32.exe 1336 igfxsk32.exe 2468 igfxsk32.exe 836 igfxsk32.exe 1800 igfxsk32.exe 2432 igfxsk32.exe 2908 igfxsk32.exe 2280 igfxsk32.exe 2284 igfxsk32.exe 1592 igfxsk32.exe 2148 igfxsk32.exe 2952 igfxsk32.exe 2644 igfxsk32.exe 2480 igfxsk32.exe 2412 igfxsk32.exe 1044 igfxsk32.exe 2364 igfxsk32.exe 2996 igfxsk32.exe 2504 igfxsk32.exe 2832 igfxsk32.exe 2796 igfxsk32.exe 2900 igfxsk32.exe 304 igfxsk32.exe 2100 igfxsk32.exe 2216 igfxsk32.exe 1272 igfxsk32.exe 1936 igfxsk32.exe 1736 igfxsk32.exe 2944 igfxsk32.exe 1608 igfxsk32.exe 1580 igfxsk32.exe 2104 igfxsk32.exe 2488 igfxsk32.exe 1480 igfxsk32.exe 1636 igfxsk32.exe 824 igfxsk32.exe 2676 igfxsk32.exe 2532 igfxsk32.exe 2572 igfxsk32.exe 2000 igfxsk32.exe 2448 igfxsk32.exe 3028 igfxsk32.exe 1528 igfxsk32.exe 2304 igfxsk32.exe 2964 igfxsk32.exe 2828 igfxsk32.exe 1344 igfxsk32.exe 3036 igfxsk32.exe 2760 igfxsk32.exe 744 igfxsk32.exe 1360 igfxsk32.exe 2204 igfxsk32.exe 2324 igfxsk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2176 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 2176 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 2636 igfxsk32.exe 2636 igfxsk32.exe 2740 igfxsk32.exe 2740 igfxsk32.exe 3020 igfxsk32.exe 3020 igfxsk32.exe 448 igfxsk32.exe 448 igfxsk32.exe 1776 igfxsk32.exe 1776 igfxsk32.exe 2956 igfxsk32.exe 2956 igfxsk32.exe 2584 igfxsk32.exe 2584 igfxsk32.exe 2180 igfxsk32.exe 2180 igfxsk32.exe 2336 igfxsk32.exe 2336 igfxsk32.exe 280 igfxsk32.exe 280 igfxsk32.exe 2216 igfxsk32.exe 2216 igfxsk32.exe 2004 igfxsk32.exe 2004 igfxsk32.exe 1336 igfxsk32.exe 1336 igfxsk32.exe 2468 igfxsk32.exe 2468 igfxsk32.exe 836 igfxsk32.exe 836 igfxsk32.exe 1800 igfxsk32.exe 1800 igfxsk32.exe 2432 igfxsk32.exe 2432 igfxsk32.exe 2908 igfxsk32.exe 2908 igfxsk32.exe 2280 igfxsk32.exe 2280 igfxsk32.exe 2284 igfxsk32.exe 2284 igfxsk32.exe 1592 igfxsk32.exe 1592 igfxsk32.exe 2148 igfxsk32.exe 2148 igfxsk32.exe 2952 igfxsk32.exe 2952 igfxsk32.exe 2644 igfxsk32.exe 2644 igfxsk32.exe 2480 igfxsk32.exe 2480 igfxsk32.exe 2412 igfxsk32.exe 2412 igfxsk32.exe 1044 igfxsk32.exe 1044 igfxsk32.exe 2364 igfxsk32.exe 2364 igfxsk32.exe 2996 igfxsk32.exe 2996 igfxsk32.exe 2504 igfxsk32.exe 2504 igfxsk32.exe 2832 igfxsk32.exe 2832 igfxsk32.exe -
resource yara_rule behavioral1/memory/2176-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2176-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2176-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2176-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2176-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2176-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2176-22-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2740-33-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2740-34-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2740-36-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2740-35-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2740-42-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/448-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/448-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/448-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/448-59-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2956-72-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2956-79-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2180-91-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2180-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/280-110-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/280-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2004-129-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2004-136-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2468-149-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2468-155-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1800-167-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1800-175-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2908-187-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2908-194-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2284-203-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2284-207-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2148-216-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2148-220-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2644-229-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2644-233-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2412-242-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2412-246-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2364-255-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2364-259-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2504-269-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2504-272-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2796-281-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2796-285-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/304-294-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/304-298-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2216-307-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2216-311-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1936-320-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1936-324-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2944-333-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2944-337-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1580-346-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1580-350-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2488-359-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2488-363-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1636-375-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2676-384-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2676-388-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2572-397-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2572-401-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2448-410-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2448-414-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1528-423-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File created C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\ igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe File opened for modification C:\Windows\SysWOW64\igfxsk32.exe igfxsk32.exe -
Suspicious use of SetThreadContext 34 IoCs
description pid Process procid_target PID 824 set thread context of 2176 824 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 30 PID 2636 set thread context of 2740 2636 igfxsk32.exe 32 PID 3020 set thread context of 448 3020 igfxsk32.exe 34 PID 1776 set thread context of 2956 1776 igfxsk32.exe 36 PID 2584 set thread context of 2180 2584 igfxsk32.exe 38 PID 2336 set thread context of 280 2336 igfxsk32.exe 40 PID 2216 set thread context of 2004 2216 igfxsk32.exe 42 PID 1336 set thread context of 2468 1336 igfxsk32.exe 44 PID 836 set thread context of 1800 836 igfxsk32.exe 46 PID 2432 set thread context of 2908 2432 igfxsk32.exe 48 PID 2280 set thread context of 2284 2280 igfxsk32.exe 50 PID 1592 set thread context of 2148 1592 igfxsk32.exe 52 PID 2952 set thread context of 2644 2952 igfxsk32.exe 54 PID 2480 set thread context of 2412 2480 igfxsk32.exe 56 PID 1044 set thread context of 2364 1044 igfxsk32.exe 58 PID 2996 set thread context of 2504 2996 igfxsk32.exe 60 PID 2832 set thread context of 2796 2832 igfxsk32.exe 62 PID 2900 set thread context of 304 2900 igfxsk32.exe 64 PID 2100 set thread context of 2216 2100 igfxsk32.exe 66 PID 1272 set thread context of 1936 1272 igfxsk32.exe 68 PID 1736 set thread context of 2944 1736 igfxsk32.exe 70 PID 1608 set thread context of 1580 1608 igfxsk32.exe 72 PID 2104 set thread context of 2488 2104 igfxsk32.exe 74 PID 1480 set thread context of 1636 1480 igfxsk32.exe 76 PID 824 set thread context of 2676 824 igfxsk32.exe 78 PID 2532 set thread context of 2572 2532 igfxsk32.exe 80 PID 2000 set thread context of 2448 2000 igfxsk32.exe 82 PID 3028 set thread context of 1528 3028 igfxsk32.exe 84 PID 2304 set thread context of 2964 2304 igfxsk32.exe 86 PID 2828 set thread context of 1344 2828 igfxsk32.exe 88 PID 3036 set thread context of 2760 3036 igfxsk32.exe 90 PID 744 set thread context of 1360 744 igfxsk32.exe 92 PID 2204 set thread context of 2324 2204 igfxsk32.exe 94 PID 1272 set thread context of 1804 1272 igfxsk32.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2176 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 2176 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 2740 igfxsk32.exe 2740 igfxsk32.exe 448 igfxsk32.exe 448 igfxsk32.exe 2956 igfxsk32.exe 2956 igfxsk32.exe 2180 igfxsk32.exe 2180 igfxsk32.exe 280 igfxsk32.exe 280 igfxsk32.exe 2004 igfxsk32.exe 2004 igfxsk32.exe 2468 igfxsk32.exe 2468 igfxsk32.exe 1800 igfxsk32.exe 1800 igfxsk32.exe 2908 igfxsk32.exe 2908 igfxsk32.exe 2284 igfxsk32.exe 2284 igfxsk32.exe 2148 igfxsk32.exe 2148 igfxsk32.exe 2644 igfxsk32.exe 2644 igfxsk32.exe 2412 igfxsk32.exe 2412 igfxsk32.exe 2364 igfxsk32.exe 2364 igfxsk32.exe 2504 igfxsk32.exe 2504 igfxsk32.exe 2796 igfxsk32.exe 2796 igfxsk32.exe 304 igfxsk32.exe 304 igfxsk32.exe 2216 igfxsk32.exe 2216 igfxsk32.exe 1936 igfxsk32.exe 1936 igfxsk32.exe 2944 igfxsk32.exe 2944 igfxsk32.exe 1580 igfxsk32.exe 1580 igfxsk32.exe 2488 igfxsk32.exe 2488 igfxsk32.exe 1636 igfxsk32.exe 1636 igfxsk32.exe 2676 igfxsk32.exe 2676 igfxsk32.exe 2572 igfxsk32.exe 2572 igfxsk32.exe 2448 igfxsk32.exe 2448 igfxsk32.exe 1528 igfxsk32.exe 1528 igfxsk32.exe 2964 igfxsk32.exe 2964 igfxsk32.exe 1344 igfxsk32.exe 1344 igfxsk32.exe 2760 igfxsk32.exe 2760 igfxsk32.exe 1360 igfxsk32.exe 1360 igfxsk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 824 wrote to memory of 2176 824 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 30 PID 824 wrote to memory of 2176 824 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 30 PID 824 wrote to memory of 2176 824 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 30 PID 824 wrote to memory of 2176 824 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 30 PID 824 wrote to memory of 2176 824 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 30 PID 824 wrote to memory of 2176 824 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 30 PID 824 wrote to memory of 2176 824 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 30 PID 2176 wrote to memory of 2636 2176 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 31 PID 2176 wrote to memory of 2636 2176 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 31 PID 2176 wrote to memory of 2636 2176 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 31 PID 2176 wrote to memory of 2636 2176 27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe 31 PID 2636 wrote to memory of 2740 2636 igfxsk32.exe 32 PID 2636 wrote to memory of 2740 2636 igfxsk32.exe 32 PID 2636 wrote to memory of 2740 2636 igfxsk32.exe 32 PID 2636 wrote to memory of 2740 2636 igfxsk32.exe 32 PID 2636 wrote to memory of 2740 2636 igfxsk32.exe 32 PID 2636 wrote to memory of 2740 2636 igfxsk32.exe 32 PID 2636 wrote to memory of 2740 2636 igfxsk32.exe 32 PID 2740 wrote to memory of 3020 2740 igfxsk32.exe 33 PID 2740 wrote to memory of 3020 2740 igfxsk32.exe 33 PID 2740 wrote to memory of 3020 2740 igfxsk32.exe 33 PID 2740 wrote to memory of 3020 2740 igfxsk32.exe 33 PID 3020 wrote to memory of 448 3020 igfxsk32.exe 34 PID 3020 wrote to memory of 448 3020 igfxsk32.exe 34 PID 3020 wrote to memory of 448 3020 igfxsk32.exe 34 PID 3020 wrote to memory of 448 3020 igfxsk32.exe 34 PID 3020 wrote to memory of 448 3020 igfxsk32.exe 34 PID 3020 wrote to memory of 448 3020 igfxsk32.exe 34 PID 3020 wrote to memory of 448 3020 igfxsk32.exe 34 PID 448 wrote to memory of 1776 448 igfxsk32.exe 35 PID 448 wrote to memory of 1776 448 igfxsk32.exe 35 PID 448 wrote to memory of 1776 448 igfxsk32.exe 35 PID 448 wrote to memory of 1776 448 igfxsk32.exe 35 PID 1776 wrote to memory of 2956 1776 igfxsk32.exe 36 PID 1776 wrote to memory of 2956 1776 igfxsk32.exe 36 PID 1776 wrote to memory of 2956 1776 igfxsk32.exe 36 PID 1776 wrote to memory of 2956 1776 igfxsk32.exe 36 PID 1776 wrote to memory of 2956 1776 igfxsk32.exe 36 PID 1776 wrote to memory of 2956 1776 igfxsk32.exe 36 PID 1776 wrote to memory of 2956 1776 igfxsk32.exe 36 PID 2956 wrote to memory of 2584 2956 igfxsk32.exe 37 PID 2956 wrote to memory of 2584 2956 igfxsk32.exe 37 PID 2956 wrote to memory of 2584 2956 igfxsk32.exe 37 PID 2956 wrote to memory of 2584 2956 igfxsk32.exe 37 PID 2584 wrote to memory of 2180 2584 igfxsk32.exe 38 PID 2584 wrote to memory of 2180 2584 igfxsk32.exe 38 PID 2584 wrote to memory of 2180 2584 igfxsk32.exe 38 PID 2584 wrote to memory of 2180 2584 igfxsk32.exe 38 PID 2584 wrote to memory of 2180 2584 igfxsk32.exe 38 PID 2584 wrote to memory of 2180 2584 igfxsk32.exe 38 PID 2584 wrote to memory of 2180 2584 igfxsk32.exe 38 PID 2180 wrote to memory of 2336 2180 igfxsk32.exe 39 PID 2180 wrote to memory of 2336 2180 igfxsk32.exe 39 PID 2180 wrote to memory of 2336 2180 igfxsk32.exe 39 PID 2180 wrote to memory of 2336 2180 igfxsk32.exe 39 PID 2336 wrote to memory of 280 2336 igfxsk32.exe 40 PID 2336 wrote to memory of 280 2336 igfxsk32.exe 40 PID 2336 wrote to memory of 280 2336 igfxsk32.exe 40 PID 2336 wrote to memory of 280 2336 igfxsk32.exe 40 PID 2336 wrote to memory of 280 2336 igfxsk32.exe 40 PID 2336 wrote to memory of 280 2336 igfxsk32.exe 40 PID 2336 wrote to memory of 280 2336 igfxsk32.exe 40 PID 280 wrote to memory of 2216 280 igfxsk32.exe 41 PID 280 wrote to memory of 2216 280 igfxsk32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27017a553fdedfb67e2955cc6990c645_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Users\Admin\AppData\Local\Temp\27017A~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Users\Admin\AppData\Local\Temp\27017A~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2216 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2004 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1336 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2468 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:836 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1800 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2432 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2908 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2280 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2284 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1592 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2148 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2952 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2644 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2480 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2412 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1044 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2996 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2504 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2832 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2796 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2900 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe36⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:304 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2100 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe38⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2216 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1272 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe40⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1936 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1736 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe42⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2944 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1608 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe44⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1580 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2104 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe46⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2488 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1480 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe48⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:824 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe50⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2676 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2532 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe52⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2572 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2000 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe54⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2448 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3028 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe56⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2304 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe58⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2964 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2828 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe60⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1344 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3036 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe62⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2760 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:744 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe64⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1360 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2204 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe66⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe67⤵
- Suspicious use of SetThreadContext
PID:1272 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe68⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\igfxsk32.exe"C:\Windows\system32\igfxsk32.exe" C:\Windows\SysWOW64\igfxsk32.exe69⤵PID:1736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD527017a553fdedfb67e2955cc6990c645
SHA15468af808f5436ed3530d56b6b838dadbc53ff0d
SHA256ef37c53930298403b1ca65c4fbadbfbdd530543b020adef40e58bd4ef02b6737
SHA512c839aceb38236dfb573f51c631c39442af3e8fff563457028c8aecb29f197d558e616fa98be1b619e9336e97ea0900c404d94df9e47e96f67c12a22ba2c350ef