Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 21:41
Static task
static1
Behavioral task
behavioral1
Sample
dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe
-
Size
286KB
-
MD5
dd194d73ec917904b0afe2821aa01c85
-
SHA1
94b0db53bb7c43c19388bb2889765e6ac0350866
-
SHA256
34e0323224b797591731c6d8a5684050b20fec86aed946f61e25d42b5d4ae2e1
-
SHA512
daa49a6fe1ce9c91e8d38c67ed0b6d72faf83c3670dd092c4b1e78d160cb0d97fb03f6a958e7da0348d54380d4ca6eccf73dc345966bf0eebaaca45853511734
-
SSDEEP
6144:zYEawDqulHdFcU8P9kaYac9/aKwNbB/o9t7EtoXuVBe:zrawDNlHdWDqaKwNbS9tQ
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2792 igfxdkv32.exe -
Executes dropped EXE 42 IoCs
pid Process 2792 igfxdkv32.exe 2932 igfxdkv32.exe 2640 igfxdkv32.exe 1208 igfxdkv32.exe 1828 igfxdkv32.exe 1708 igfxdkv32.exe 2544 igfxdkv32.exe 1756 igfxdkv32.exe 304 igfxdkv32.exe 848 igfxdkv32.exe 2180 igfxdkv32.exe 1660 igfxdkv32.exe 696 igfxdkv32.exe 2992 igfxdkv32.exe 2276 igfxdkv32.exe 3000 igfxdkv32.exe 1984 igfxdkv32.exe 2580 igfxdkv32.exe 2624 igfxdkv32.exe 3068 igfxdkv32.exe 2096 igfxdkv32.exe 2476 igfxdkv32.exe 2876 igfxdkv32.exe 2864 igfxdkv32.exe 2652 igfxdkv32.exe 2632 igfxdkv32.exe 2040 igfxdkv32.exe 2104 igfxdkv32.exe 1828 igfxdkv32.exe 1708 igfxdkv32.exe 2036 igfxdkv32.exe 2984 igfxdkv32.exe 1124 igfxdkv32.exe 1444 igfxdkv32.exe 1664 igfxdkv32.exe 2244 igfxdkv32.exe 1928 igfxdkv32.exe 2028 igfxdkv32.exe 2608 igfxdkv32.exe 2204 igfxdkv32.exe 1672 igfxdkv32.exe 692 igfxdkv32.exe -
Loads dropped DLL 64 IoCs
pid Process 2428 dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe 2428 dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe 2792 igfxdkv32.exe 2792 igfxdkv32.exe 2932 igfxdkv32.exe 2932 igfxdkv32.exe 2640 igfxdkv32.exe 2640 igfxdkv32.exe 1208 igfxdkv32.exe 1208 igfxdkv32.exe 1828 igfxdkv32.exe 1828 igfxdkv32.exe 1708 igfxdkv32.exe 1708 igfxdkv32.exe 2544 igfxdkv32.exe 2544 igfxdkv32.exe 1756 igfxdkv32.exe 1756 igfxdkv32.exe 304 igfxdkv32.exe 304 igfxdkv32.exe 848 igfxdkv32.exe 848 igfxdkv32.exe 2180 igfxdkv32.exe 2180 igfxdkv32.exe 1660 igfxdkv32.exe 1660 igfxdkv32.exe 696 igfxdkv32.exe 696 igfxdkv32.exe 2992 igfxdkv32.exe 2992 igfxdkv32.exe 2276 igfxdkv32.exe 2276 igfxdkv32.exe 3000 igfxdkv32.exe 3000 igfxdkv32.exe 1984 igfxdkv32.exe 1984 igfxdkv32.exe 2580 igfxdkv32.exe 2580 igfxdkv32.exe 2624 igfxdkv32.exe 2624 igfxdkv32.exe 3068 igfxdkv32.exe 3068 igfxdkv32.exe 2096 igfxdkv32.exe 2096 igfxdkv32.exe 2476 igfxdkv32.exe 2476 igfxdkv32.exe 2876 igfxdkv32.exe 2876 igfxdkv32.exe 2864 igfxdkv32.exe 2864 igfxdkv32.exe 2652 igfxdkv32.exe 2652 igfxdkv32.exe 2632 igfxdkv32.exe 2632 igfxdkv32.exe 2040 igfxdkv32.exe 2040 igfxdkv32.exe 2104 igfxdkv32.exe 2104 igfxdkv32.exe 1828 igfxdkv32.exe 1828 igfxdkv32.exe 1708 igfxdkv32.exe 1708 igfxdkv32.exe 2036 igfxdkv32.exe 2036 igfxdkv32.exe -
resource yara_rule behavioral1/memory/2428-1-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2428-13-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2792-15-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2792-20-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2932-24-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2640-30-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1208-34-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1828-39-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1708-42-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2544-48-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1756-52-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/304-56-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/848-60-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2180-64-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1660-69-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/696-73-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2992-77-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2276-82-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/3000-86-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1984-88-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2580-89-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2624-90-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/3068-91-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2096-92-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2476-93-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2876-94-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2864-95-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2652-96-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2632-97-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2040-98-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2104-99-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1828-100-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1708-101-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2036-102-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2984-103-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1124-104-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1444-105-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1664-106-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2244-107-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1928-108-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2028-109-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2608-110-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/2204-111-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral1/memory/1672-112-0x0000000000400000-0x0000000000483000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe 2428 dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe 2792 igfxdkv32.exe 2792 igfxdkv32.exe 2932 igfxdkv32.exe 2932 igfxdkv32.exe 2640 igfxdkv32.exe 2640 igfxdkv32.exe 1208 igfxdkv32.exe 1208 igfxdkv32.exe 1828 igfxdkv32.exe 1828 igfxdkv32.exe 1708 igfxdkv32.exe 1708 igfxdkv32.exe 2544 igfxdkv32.exe 2544 igfxdkv32.exe 1756 igfxdkv32.exe 1756 igfxdkv32.exe 304 igfxdkv32.exe 304 igfxdkv32.exe 848 igfxdkv32.exe 848 igfxdkv32.exe 2180 igfxdkv32.exe 2180 igfxdkv32.exe 1660 igfxdkv32.exe 1660 igfxdkv32.exe 696 igfxdkv32.exe 696 igfxdkv32.exe 2992 igfxdkv32.exe 2992 igfxdkv32.exe 2276 igfxdkv32.exe 2276 igfxdkv32.exe 3000 igfxdkv32.exe 3000 igfxdkv32.exe 1984 igfxdkv32.exe 1984 igfxdkv32.exe 2580 igfxdkv32.exe 2580 igfxdkv32.exe 2624 igfxdkv32.exe 2624 igfxdkv32.exe 3068 igfxdkv32.exe 3068 igfxdkv32.exe 2096 igfxdkv32.exe 2096 igfxdkv32.exe 2476 igfxdkv32.exe 2476 igfxdkv32.exe 2876 igfxdkv32.exe 2876 igfxdkv32.exe 2864 igfxdkv32.exe 2864 igfxdkv32.exe 2652 igfxdkv32.exe 2652 igfxdkv32.exe 2632 igfxdkv32.exe 2632 igfxdkv32.exe 2040 igfxdkv32.exe 2040 igfxdkv32.exe 2104 igfxdkv32.exe 2104 igfxdkv32.exe 1828 igfxdkv32.exe 1828 igfxdkv32.exe 1708 igfxdkv32.exe 1708 igfxdkv32.exe 2036 igfxdkv32.exe 2036 igfxdkv32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2792 2428 dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe 29 PID 2428 wrote to memory of 2792 2428 dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe 29 PID 2428 wrote to memory of 2792 2428 dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe 29 PID 2428 wrote to memory of 2792 2428 dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe 29 PID 2792 wrote to memory of 2932 2792 igfxdkv32.exe 30 PID 2792 wrote to memory of 2932 2792 igfxdkv32.exe 30 PID 2792 wrote to memory of 2932 2792 igfxdkv32.exe 30 PID 2792 wrote to memory of 2932 2792 igfxdkv32.exe 30 PID 2932 wrote to memory of 2640 2932 igfxdkv32.exe 31 PID 2932 wrote to memory of 2640 2932 igfxdkv32.exe 31 PID 2932 wrote to memory of 2640 2932 igfxdkv32.exe 31 PID 2932 wrote to memory of 2640 2932 igfxdkv32.exe 31 PID 2640 wrote to memory of 1208 2640 igfxdkv32.exe 32 PID 2640 wrote to memory of 1208 2640 igfxdkv32.exe 32 PID 2640 wrote to memory of 1208 2640 igfxdkv32.exe 32 PID 2640 wrote to memory of 1208 2640 igfxdkv32.exe 32 PID 1208 wrote to memory of 1828 1208 igfxdkv32.exe 33 PID 1208 wrote to memory of 1828 1208 igfxdkv32.exe 33 PID 1208 wrote to memory of 1828 1208 igfxdkv32.exe 33 PID 1208 wrote to memory of 1828 1208 igfxdkv32.exe 33 PID 1828 wrote to memory of 1708 1828 igfxdkv32.exe 34 PID 1828 wrote to memory of 1708 1828 igfxdkv32.exe 34 PID 1828 wrote to memory of 1708 1828 igfxdkv32.exe 34 PID 1828 wrote to memory of 1708 1828 igfxdkv32.exe 34 PID 1708 wrote to memory of 2544 1708 igfxdkv32.exe 35 PID 1708 wrote to memory of 2544 1708 igfxdkv32.exe 35 PID 1708 wrote to memory of 2544 1708 igfxdkv32.exe 35 PID 1708 wrote to memory of 2544 1708 igfxdkv32.exe 35 PID 2544 wrote to memory of 1756 2544 igfxdkv32.exe 36 PID 2544 wrote to memory of 1756 2544 igfxdkv32.exe 36 PID 2544 wrote to memory of 1756 2544 igfxdkv32.exe 36 PID 2544 wrote to memory of 1756 2544 igfxdkv32.exe 36 PID 1756 wrote to memory of 304 1756 igfxdkv32.exe 37 PID 1756 wrote to memory of 304 1756 igfxdkv32.exe 37 PID 1756 wrote to memory of 304 1756 igfxdkv32.exe 37 PID 1756 wrote to memory of 304 1756 igfxdkv32.exe 37 PID 304 wrote to memory of 848 304 igfxdkv32.exe 38 PID 304 wrote to memory of 848 304 igfxdkv32.exe 38 PID 304 wrote to memory of 848 304 igfxdkv32.exe 38 PID 304 wrote to memory of 848 304 igfxdkv32.exe 38 PID 848 wrote to memory of 2180 848 igfxdkv32.exe 39 PID 848 wrote to memory of 2180 848 igfxdkv32.exe 39 PID 848 wrote to memory of 2180 848 igfxdkv32.exe 39 PID 848 wrote to memory of 2180 848 igfxdkv32.exe 39 PID 2180 wrote to memory of 1660 2180 igfxdkv32.exe 40 PID 2180 wrote to memory of 1660 2180 igfxdkv32.exe 40 PID 2180 wrote to memory of 1660 2180 igfxdkv32.exe 40 PID 2180 wrote to memory of 1660 2180 igfxdkv32.exe 40 PID 1660 wrote to memory of 696 1660 igfxdkv32.exe 41 PID 1660 wrote to memory of 696 1660 igfxdkv32.exe 41 PID 1660 wrote to memory of 696 1660 igfxdkv32.exe 41 PID 1660 wrote to memory of 696 1660 igfxdkv32.exe 41 PID 696 wrote to memory of 2992 696 igfxdkv32.exe 42 PID 696 wrote to memory of 2992 696 igfxdkv32.exe 42 PID 696 wrote to memory of 2992 696 igfxdkv32.exe 42 PID 696 wrote to memory of 2992 696 igfxdkv32.exe 42 PID 2992 wrote to memory of 2276 2992 igfxdkv32.exe 43 PID 2992 wrote to memory of 2276 2992 igfxdkv32.exe 43 PID 2992 wrote to memory of 2276 2992 igfxdkv32.exe 43 PID 2992 wrote to memory of 2276 2992 igfxdkv32.exe 43 PID 2276 wrote to memory of 3000 2276 igfxdkv32.exe 44 PID 2276 wrote to memory of 3000 2276 igfxdkv32.exe 44 PID 2276 wrote to memory of 3000 2276 igfxdkv32.exe 44 PID 2276 wrote to memory of 3000 2276 igfxdkv32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dd194d73ec917904b0afe2821aa01c85_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Users\Admin\AppData\Local\Temp\DD194D~1.EXE2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE13⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE15⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE17⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3000 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1984 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE19⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2580 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2624 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE21⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3068 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2096 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE23⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2476 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2876 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2864 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2652 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE27⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2632 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2040 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE29⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2104 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1828 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE31⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1708 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2036 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE33⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE35⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE36⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE37⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE38⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE39⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE40⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE41⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE42⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE43⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE44⤵PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
286KB
MD5dd194d73ec917904b0afe2821aa01c85
SHA194b0db53bb7c43c19388bb2889765e6ac0350866
SHA25634e0323224b797591731c6d8a5684050b20fec86aed946f61e25d42b5d4ae2e1
SHA512daa49a6fe1ce9c91e8d38c67ed0b6d72faf83c3670dd092c4b1e78d160cb0d97fb03f6a958e7da0348d54380d4ca6eccf73dc345966bf0eebaaca45853511734