metasploit | d7ef60f95f4d3d955ee665ead8acca2e2f27462acd9ba3951a8fc1ee056e2abd

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
Size

216KB
MD5

4371c0b9d33308b382675ddd9a0c014b
SHA1

07bcc5c1efceac0b657acfe492a6409e762e00cf
SHA256

d7ef60f95f4d3d955ee665ead8acca2e2f27462acd9ba3951a8fc1ee056e2abd
SHA512

85c3c93afeded2f603e88ab39167a0b54cacce6cd7afd65203d443320f33f15efc4a5a82fa4d0ad2ec9a7f00af71f637edb8ae5c0c6451d74d8bf5b5dac92ac1
SSDEEP

6144:Diys7Y6IxNe8oCoZY9BjNCDMnWwzZGHyn1K8lO:o7P0Q8oCoZY9FUQn1ZlO

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2620	igfxdn32.exe

Executes dropped EXE 64 IoCs

pid	Process
2672	igfxdn32.exe
2620	igfxdn32.exe
2360	igfxdn32.exe
1620	igfxdn32.exe
1300	igfxdn32.exe
996	igfxdn32.exe
2816	igfxdn32.exe
328	igfxdn32.exe
320	igfxdn32.exe
2176	igfxdn32.exe
1492	igfxdn32.exe
444	igfxdn32.exe
1704	igfxdn32.exe
1120	igfxdn32.exe
1548	igfxdn32.exe
2068	igfxdn32.exe
2496	igfxdn32.exe
2296	igfxdn32.exe
1956	igfxdn32.exe
900	igfxdn32.exe
1408	igfxdn32.exe
2780	igfxdn32.exe
2792	igfxdn32.exe
2672	igfxdn32.exe
1508	igfxdn32.exe
1996	igfxdn32.exe
2500	igfxdn32.exe
2804	igfxdn32.exe
2832	igfxdn32.exe
2836	igfxdn32.exe
1628	igfxdn32.exe
1052	igfxdn32.exe
1192	igfxdn32.exe
2136	igfxdn32.exe
1492	igfxdn32.exe
2648	igfxdn32.exe
1096	igfxdn32.exe
2092	igfxdn32.exe
1356	igfxdn32.exe
1548	igfxdn32.exe
1524	igfxdn32.exe
1984	igfxdn32.exe
1012	igfxdn32.exe
2476	igfxdn32.exe
2268	igfxdn32.exe
280	igfxdn32.exe
2760	igfxdn32.exe
2564	igfxdn32.exe
2624	igfxdn32.exe
2168	igfxdn32.exe
872	igfxdn32.exe
2404	igfxdn32.exe
2500	igfxdn32.exe
2636	igfxdn32.exe
2628	igfxdn32.exe
2940	igfxdn32.exe
2816	igfxdn32.exe
2840	igfxdn32.exe
1772	igfxdn32.exe
604	igfxdn32.exe
1980	igfxdn32.exe
1500	igfxdn32.exe
1864	igfxdn32.exe
960	igfxdn32.exe

Loads dropped DLL 64 IoCs

pid	Process
2216	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
2216	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
2672	igfxdn32.exe
2672	igfxdn32.exe
2620	igfxdn32.exe
2620	igfxdn32.exe
2360	igfxdn32.exe
2360	igfxdn32.exe
1620	igfxdn32.exe
1620	igfxdn32.exe
1300	igfxdn32.exe
1300	igfxdn32.exe
996	igfxdn32.exe
996	igfxdn32.exe
2816	igfxdn32.exe
2816	igfxdn32.exe
328	igfxdn32.exe
328	igfxdn32.exe
320	igfxdn32.exe
320	igfxdn32.exe
2176	igfxdn32.exe
2176	igfxdn32.exe
1492	igfxdn32.exe
1492	igfxdn32.exe
444	igfxdn32.exe
444	igfxdn32.exe
1704	igfxdn32.exe
1704	igfxdn32.exe
1120	igfxdn32.exe
1120	igfxdn32.exe
1548	igfxdn32.exe
1548	igfxdn32.exe
2068	igfxdn32.exe
2068	igfxdn32.exe
2496	igfxdn32.exe
2496	igfxdn32.exe
2296	igfxdn32.exe
2296	igfxdn32.exe
1956	igfxdn32.exe
1956	igfxdn32.exe
900	igfxdn32.exe
900	igfxdn32.exe
1408	igfxdn32.exe
1408	igfxdn32.exe
2780	igfxdn32.exe
2780	igfxdn32.exe
2792	igfxdn32.exe
2792	igfxdn32.exe
2672	igfxdn32.exe
2672	igfxdn32.exe
1508	igfxdn32.exe
1508	igfxdn32.exe
1996	igfxdn32.exe
1996	igfxdn32.exe
2500	igfxdn32.exe
2500	igfxdn32.exe
2804	igfxdn32.exe
2804	igfxdn32.exe
2832	igfxdn32.exe
2832	igfxdn32.exe
2836	igfxdn32.exe
2836	igfxdn32.exe
1628	igfxdn32.exe
1628	igfxdn32.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-4-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-3-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-6-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-2-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-8-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-7-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-21-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2620-32-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2620-33-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2620-34-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2620-40-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1620-52-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1620-53-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1620-60-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/996-78-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/328-89-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/328-97-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2176-108-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2176-109-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2176-116-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/444-128-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/444-135-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1120-154-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2068-166-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2068-173-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2296-185-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2296-193-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/900-203-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/900-207-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2780-216-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2780-220-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2672-229-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2672-233-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1996-245-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2804-254-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2804-258-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2836-267-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2836-271-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1052-280-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1052-284-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2136-293-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2136-297-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2648-306-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2648-310-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2092-319-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2092-323-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1548-332-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1548-336-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1984-345-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1984-349-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2476-358-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2476-362-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/280-371-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/280-375-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2564-384-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2564-388-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2168-397-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2168-401-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2404-410-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2404-414-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2636-423-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2636-427-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2940-436-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2940-440-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe
File created	C:\Windows\SysWOW64\igfxdn32.exe	igfxdn32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdn32.exe

Suspicious use of SetThreadContext 33 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 2216	2220	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	30
PID 2672 set thread context of 2620	2672	igfxdn32.exe	32
PID 2360 set thread context of 1620	2360	igfxdn32.exe	34
PID 1300 set thread context of 996	1300	igfxdn32.exe	36
PID 2816 set thread context of 328	2816	igfxdn32.exe	38
PID 320 set thread context of 2176	320	igfxdn32.exe	40
PID 1492 set thread context of 444	1492	igfxdn32.exe	42
PID 1704 set thread context of 1120	1704	igfxdn32.exe	44
PID 1548 set thread context of 2068	1548	igfxdn32.exe	46
PID 2496 set thread context of 2296	2496	igfxdn32.exe	48
PID 1956 set thread context of 900	1956	igfxdn32.exe	50
PID 1408 set thread context of 2780	1408	igfxdn32.exe	52
PID 2792 set thread context of 2672	2792	igfxdn32.exe	54
PID 1508 set thread context of 1996	1508	igfxdn32.exe	56
PID 2500 set thread context of 2804	2500	igfxdn32.exe	58
PID 2832 set thread context of 2836	2832	igfxdn32.exe	60
PID 1628 set thread context of 1052	1628	igfxdn32.exe	62
PID 1192 set thread context of 2136	1192	igfxdn32.exe	64
PID 1492 set thread context of 2648	1492	igfxdn32.exe	66
PID 1096 set thread context of 2092	1096	igfxdn32.exe	68
PID 1356 set thread context of 1548	1356	igfxdn32.exe	70
PID 1524 set thread context of 1984	1524	igfxdn32.exe	72
PID 1012 set thread context of 2476	1012	igfxdn32.exe	74
PID 2268 set thread context of 280	2268	igfxdn32.exe	76
PID 2760 set thread context of 2564	2760	igfxdn32.exe	78
PID 2624 set thread context of 2168	2624	igfxdn32.exe	80
PID 872 set thread context of 2404	872	igfxdn32.exe	82
PID 2500 set thread context of 2636	2500	igfxdn32.exe	84
PID 2628 set thread context of 2940	2628	igfxdn32.exe	86
PID 2816 set thread context of 2840	2816	igfxdn32.exe	88
PID 1772 set thread context of 604	1772	igfxdn32.exe	90
PID 1980 set thread context of 1500	1980	igfxdn32.exe	92
PID 1864 set thread context of 960	1864	igfxdn32.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
2216	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
2620	igfxdn32.exe
2620	igfxdn32.exe
1620	igfxdn32.exe
1620	igfxdn32.exe
996	igfxdn32.exe
996	igfxdn32.exe
328	igfxdn32.exe
328	igfxdn32.exe
2176	igfxdn32.exe
2176	igfxdn32.exe
444	igfxdn32.exe
444	igfxdn32.exe
1120	igfxdn32.exe
1120	igfxdn32.exe
2068	igfxdn32.exe
2068	igfxdn32.exe
2296	igfxdn32.exe
2296	igfxdn32.exe
900	igfxdn32.exe
900	igfxdn32.exe
2780	igfxdn32.exe
2780	igfxdn32.exe
2672	igfxdn32.exe
2672	igfxdn32.exe
1996	igfxdn32.exe
1996	igfxdn32.exe
2804	igfxdn32.exe
2804	igfxdn32.exe
2836	igfxdn32.exe
2836	igfxdn32.exe
1052	igfxdn32.exe
1052	igfxdn32.exe
2136	igfxdn32.exe
2136	igfxdn32.exe
2648	igfxdn32.exe
2648	igfxdn32.exe
2092	igfxdn32.exe
2092	igfxdn32.exe
1548	igfxdn32.exe
1548	igfxdn32.exe
1984	igfxdn32.exe
1984	igfxdn32.exe
2476	igfxdn32.exe
2476	igfxdn32.exe
280	igfxdn32.exe
280	igfxdn32.exe
2564	igfxdn32.exe
2564	igfxdn32.exe
2168	igfxdn32.exe
2168	igfxdn32.exe
2404	igfxdn32.exe
2404	igfxdn32.exe
2636	igfxdn32.exe
2636	igfxdn32.exe
2940	igfxdn32.exe
2940	igfxdn32.exe
2840	igfxdn32.exe
2840	igfxdn32.exe
604	igfxdn32.exe
604	igfxdn32.exe
1500	igfxdn32.exe
1500	igfxdn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2216	2220	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2216	2220	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2216	2220	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2216	2220	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2216	2220	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2216	2220	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2216	2220	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	30
PID 2216 wrote to memory of 2672	2216	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2672	2216	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2672	2216	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2672	2216	4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2620	2672	igfxdn32.exe	32
PID 2672 wrote to memory of 2620	2672	igfxdn32.exe	32
PID 2672 wrote to memory of 2620	2672	igfxdn32.exe	32
PID 2672 wrote to memory of 2620	2672	igfxdn32.exe	32
PID 2672 wrote to memory of 2620	2672	igfxdn32.exe	32
PID 2672 wrote to memory of 2620	2672	igfxdn32.exe	32
PID 2672 wrote to memory of 2620	2672	igfxdn32.exe	32
PID 2620 wrote to memory of 2360	2620	igfxdn32.exe	33
PID 2620 wrote to memory of 2360	2620	igfxdn32.exe	33
PID 2620 wrote to memory of 2360	2620	igfxdn32.exe	33
PID 2620 wrote to memory of 2360	2620	igfxdn32.exe	33
PID 2360 wrote to memory of 1620	2360	igfxdn32.exe	34
PID 2360 wrote to memory of 1620	2360	igfxdn32.exe	34
PID 2360 wrote to memory of 1620	2360	igfxdn32.exe	34
PID 2360 wrote to memory of 1620	2360	igfxdn32.exe	34
PID 2360 wrote to memory of 1620	2360	igfxdn32.exe	34
PID 2360 wrote to memory of 1620	2360	igfxdn32.exe	34
PID 2360 wrote to memory of 1620	2360	igfxdn32.exe	34
PID 1620 wrote to memory of 1300	1620	igfxdn32.exe	35
PID 1620 wrote to memory of 1300	1620	igfxdn32.exe	35
PID 1620 wrote to memory of 1300	1620	igfxdn32.exe	35
PID 1620 wrote to memory of 1300	1620	igfxdn32.exe	35
PID 1300 wrote to memory of 996	1300	igfxdn32.exe	36
PID 1300 wrote to memory of 996	1300	igfxdn32.exe	36
PID 1300 wrote to memory of 996	1300	igfxdn32.exe	36
PID 1300 wrote to memory of 996	1300	igfxdn32.exe	36
PID 1300 wrote to memory of 996	1300	igfxdn32.exe	36
PID 1300 wrote to memory of 996	1300	igfxdn32.exe	36
PID 1300 wrote to memory of 996	1300	igfxdn32.exe	36
PID 996 wrote to memory of 2816	996	igfxdn32.exe	37
PID 996 wrote to memory of 2816	996	igfxdn32.exe	37
PID 996 wrote to memory of 2816	996	igfxdn32.exe	37
PID 996 wrote to memory of 2816	996	igfxdn32.exe	37
PID 2816 wrote to memory of 328	2816	igfxdn32.exe	38
PID 2816 wrote to memory of 328	2816	igfxdn32.exe	38
PID 2816 wrote to memory of 328	2816	igfxdn32.exe	38
PID 2816 wrote to memory of 328	2816	igfxdn32.exe	38
PID 2816 wrote to memory of 328	2816	igfxdn32.exe	38
PID 2816 wrote to memory of 328	2816	igfxdn32.exe	38
PID 2816 wrote to memory of 328	2816	igfxdn32.exe	38
PID 328 wrote to memory of 320	328	igfxdn32.exe	39
PID 328 wrote to memory of 320	328	igfxdn32.exe	39
PID 328 wrote to memory of 320	328	igfxdn32.exe	39
PID 328 wrote to memory of 320	328	igfxdn32.exe	39
PID 320 wrote to memory of 2176	320	igfxdn32.exe	40
PID 320 wrote to memory of 2176	320	igfxdn32.exe	40
PID 320 wrote to memory of 2176	320	igfxdn32.exe	40
PID 320 wrote to memory of 2176	320	igfxdn32.exe	40
PID 320 wrote to memory of 2176	320	igfxdn32.exe	40
PID 320 wrote to memory of 2176	320	igfxdn32.exe	40
PID 320 wrote to memory of 2176	320	igfxdn32.exe	40
PID 2176 wrote to memory of 1492	2176	igfxdn32.exe	41
PID 2176 wrote to memory of 1492	2176	igfxdn32.exe	41

C:\Users\Admin\AppData\Local\Temp\4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4371c0b9d33308b382675ddd9a0c014b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\igfxdn32.exe
    "C:\Windows\system32\igfxdn32.exe" C:\Users\Admin\AppData\Local\Temp\4371C0~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\igfxdn32.exe
      "C:\Windows\system32\igfxdn32.exe" C:\Users\Admin\AppData\Local\Temp\4371C0~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1492
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:444
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1704
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1120
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1548
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2496
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1956
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:900
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1408
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2792
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1508
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2500
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2832
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1628
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        34⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1052
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1192
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        36⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1492
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        38⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1096
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        40⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2092
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1356
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        42⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1524
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        44⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1012
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        46⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2268
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        48⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:280
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2760
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        50⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2564
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2624
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        52⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:872
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        54⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2500
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        56⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2628
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        58⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2940
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2816
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        60⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1772
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        62⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:604
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1980
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        64⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1864
        
        C:\Windows\SysWOW64\igfxdn32.exe
        
        "C:\Windows\system32\igfxdn32.exe" C:\Windows\SysWOW64\igfxdn32.exe
        66⤵
        Executes dropped EXE
        Maps connected drives based on registry
        
        PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\igfxdn32.exe

Filesize
216KB

MD5
4371c0b9d33308b382675ddd9a0c014b

SHA1
07bcc5c1efceac0b657acfe492a6409e762e00cf

SHA256
d7ef60f95f4d3d955ee665ead8acca2e2f27462acd9ba3951a8fc1ee056e2abd

SHA512
85c3c93afeded2f603e88ab39167a0b54cacce6cd7afd65203d443320f33f15efc4a5a82fa4d0ad2ec9a7f00af71f637edb8ae5c0c6451d74d8bf5b5dac92ac1

Download Submit
memory/280-371-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/280-375-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/328-89-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/328-97-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/444-135-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/444-128-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/604-466-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/604-463-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/900-203-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/900-207-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/960-488-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/996-78-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1052-280-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1052-284-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1120-154-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1500-475-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1500-479-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1548-336-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1548-332-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1620-52-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1620-60-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1620-53-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1984-345-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1984-349-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1996-245-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2068-166-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2068-173-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2092-319-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2092-323-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2136-297-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2136-293-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2168-401-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2168-397-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2176-116-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2176-108-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2176-109-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-4-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-6-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-3-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-2-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-8-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-21-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2296-193-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2296-185-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2404-410-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2404-414-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2476-358-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2476-362-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2564-384-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2564-388-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2620-40-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2620-33-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2620-32-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2620-34-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2636-423-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2636-427-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2648-310-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2648-306-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2672-229-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2672-233-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2780-220-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2780-216-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2804-258-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2804-254-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2836-267-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2836-271-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2840-449-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2840-453-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2940-440-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2940-436-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download