Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 16:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe
-
Size
280KB
-
MD5
e09155cc0e772fe041bb674d031b6a73
-
SHA1
ad5fcdc004d2e0cdf1008fb6226cec4e7c8ad16e
-
SHA256
a1dd383e02eae90830a58562b26886ac2c61a6694ff7ef6f5b1edf0b46067892
-
SHA512
5fbb4715d15a118afe8f08bd35720a44caa7e7a57c30abafa7e8c2a00a616b54b340d768a5ab5ceff0eb11eecc50002442769d5dc6db66f8fec2425ee7b9ee08
-
SSDEEP
3072:68OBtebeDXSjdLikfVb1oPGtyNjQK+M76WDzpSd0zMkqRk5V11LVZnVF85LPhNik:j8RXSjA2K+KDzpdzF5X35VypD
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 34 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxwp32.exe -
Deletes itself 1 IoCs
pid Process 4112 igfxwp32.exe -
Executes dropped EXE 64 IoCs
pid Process 1740 igfxwp32.exe 4112 igfxwp32.exe 4880 igfxwp32.exe 4200 igfxwp32.exe 3152 igfxwp32.exe 3824 igfxwp32.exe 4976 igfxwp32.exe 3968 igfxwp32.exe 1552 igfxwp32.exe 4628 igfxwp32.exe 2524 igfxwp32.exe 4356 igfxwp32.exe 4232 igfxwp32.exe 3744 igfxwp32.exe 2692 igfxwp32.exe 2948 igfxwp32.exe 4564 igfxwp32.exe 1152 igfxwp32.exe 4912 igfxwp32.exe 4184 igfxwp32.exe 1952 igfxwp32.exe 5112 igfxwp32.exe 224 igfxwp32.exe 2012 igfxwp32.exe 5092 igfxwp32.exe 100 igfxwp32.exe 2276 igfxwp32.exe 1636 igfxwp32.exe 2620 igfxwp32.exe 1684 igfxwp32.exe 4836 igfxwp32.exe 1792 igfxwp32.exe 2480 igfxwp32.exe 2528 igfxwp32.exe 4620 igfxwp32.exe 3620 igfxwp32.exe 1832 igfxwp32.exe 864 igfxwp32.exe 1328 igfxwp32.exe 2976 igfxwp32.exe 3516 igfxwp32.exe 4420 igfxwp32.exe 3308 igfxwp32.exe 3668 igfxwp32.exe 4456 igfxwp32.exe 3812 igfxwp32.exe 3640 igfxwp32.exe 2144 igfxwp32.exe 3460 igfxwp32.exe 4312 igfxwp32.exe 1232 igfxwp32.exe 3888 igfxwp32.exe 312 igfxwp32.exe 944 igfxwp32.exe 5104 igfxwp32.exe 3212 igfxwp32.exe 4608 igfxwp32.exe 3252 igfxwp32.exe 4204 igfxwp32.exe 4768 igfxwp32.exe 2196 igfxwp32.exe 1644 igfxwp32.exe 2280 igfxwp32.exe 3188 igfxwp32.exe -
resource yara_rule behavioral2/memory/1064-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1064-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1064-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1064-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1064-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4112-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4112-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4200-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4200-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3824-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3968-70-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4628-79-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4356-86-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3744-93-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2948-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1152-107-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4184-114-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5112-121-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2012-130-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/100-138-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1636-147-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1684-155-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1792-163-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2528-171-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3620-179-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/864-187-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2976-192-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2976-196-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4420-204-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3668-212-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3812-218-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2144-224-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4312-230-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3888-236-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/944-242-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3212-248-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3252-254-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4768-260-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1644-266-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3188-272-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1920-278-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe -
Suspicious use of SetThreadContext 35 IoCs
description pid Process procid_target PID 4312 set thread context of 1064 4312 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 86 PID 1740 set thread context of 4112 1740 igfxwp32.exe 92 PID 4880 set thread context of 4200 4880 igfxwp32.exe 97 PID 3152 set thread context of 3824 3152 igfxwp32.exe 99 PID 4976 set thread context of 3968 4976 igfxwp32.exe 101 PID 1552 set thread context of 4628 1552 igfxwp32.exe 103 PID 2524 set thread context of 4356 2524 igfxwp32.exe 105 PID 4232 set thread context of 3744 4232 igfxwp32.exe 108 PID 2692 set thread context of 2948 2692 igfxwp32.exe 111 PID 4564 set thread context of 1152 4564 igfxwp32.exe 113 PID 4912 set thread context of 4184 4912 igfxwp32.exe 115 PID 1952 set thread context of 5112 1952 igfxwp32.exe 117 PID 224 set thread context of 2012 224 igfxwp32.exe 119 PID 5092 set thread context of 100 5092 igfxwp32.exe 121 PID 2276 set thread context of 1636 2276 igfxwp32.exe 123 PID 2620 set thread context of 1684 2620 igfxwp32.exe 125 PID 4836 set thread context of 1792 4836 igfxwp32.exe 127 PID 2480 set thread context of 2528 2480 igfxwp32.exe 129 PID 4620 set thread context of 3620 4620 igfxwp32.exe 131 PID 1832 set thread context of 864 1832 igfxwp32.exe 133 PID 1328 set thread context of 2976 1328 igfxwp32.exe 135 PID 3516 set thread context of 4420 3516 igfxwp32.exe 137 PID 3308 set thread context of 3668 3308 igfxwp32.exe 139 PID 4456 set thread context of 3812 4456 igfxwp32.exe 141 PID 3640 set thread context of 2144 3640 igfxwp32.exe 143 PID 3460 set thread context of 4312 3460 igfxwp32.exe 145 PID 1232 set thread context of 3888 1232 igfxwp32.exe 147 PID 312 set thread context of 944 312 igfxwp32.exe 149 PID 5104 set thread context of 3212 5104 igfxwp32.exe 151 PID 4608 set thread context of 3252 4608 igfxwp32.exe 153 PID 4204 set thread context of 4768 4204 igfxwp32.exe 155 PID 2196 set thread context of 1644 2196 igfxwp32.exe 157 PID 2280 set thread context of 3188 2280 igfxwp32.exe 159 PID 748 set thread context of 1920 748 igfxwp32.exe 161 PID 4896 set thread context of 1632 4896 igfxwp32.exe 163 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe -
Modifies registry class 34 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1064 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 1064 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 1064 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 1064 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 4112 igfxwp32.exe 4112 igfxwp32.exe 4112 igfxwp32.exe 4112 igfxwp32.exe 4200 igfxwp32.exe 4200 igfxwp32.exe 4200 igfxwp32.exe 4200 igfxwp32.exe 3824 igfxwp32.exe 3824 igfxwp32.exe 3824 igfxwp32.exe 3824 igfxwp32.exe 3968 igfxwp32.exe 3968 igfxwp32.exe 3968 igfxwp32.exe 3968 igfxwp32.exe 4628 igfxwp32.exe 4628 igfxwp32.exe 4628 igfxwp32.exe 4628 igfxwp32.exe 4356 igfxwp32.exe 4356 igfxwp32.exe 4356 igfxwp32.exe 4356 igfxwp32.exe 3744 igfxwp32.exe 3744 igfxwp32.exe 3744 igfxwp32.exe 3744 igfxwp32.exe 2948 igfxwp32.exe 2948 igfxwp32.exe 2948 igfxwp32.exe 2948 igfxwp32.exe 1152 igfxwp32.exe 1152 igfxwp32.exe 1152 igfxwp32.exe 1152 igfxwp32.exe 4184 igfxwp32.exe 4184 igfxwp32.exe 4184 igfxwp32.exe 4184 igfxwp32.exe 5112 igfxwp32.exe 5112 igfxwp32.exe 5112 igfxwp32.exe 5112 igfxwp32.exe 2012 igfxwp32.exe 2012 igfxwp32.exe 2012 igfxwp32.exe 2012 igfxwp32.exe 100 igfxwp32.exe 100 igfxwp32.exe 100 igfxwp32.exe 100 igfxwp32.exe 1636 igfxwp32.exe 1636 igfxwp32.exe 1636 igfxwp32.exe 1636 igfxwp32.exe 1684 igfxwp32.exe 1684 igfxwp32.exe 1684 igfxwp32.exe 1684 igfxwp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4312 wrote to memory of 1064 4312 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 86 PID 4312 wrote to memory of 1064 4312 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 86 PID 4312 wrote to memory of 1064 4312 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 86 PID 4312 wrote to memory of 1064 4312 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 86 PID 4312 wrote to memory of 1064 4312 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 86 PID 4312 wrote to memory of 1064 4312 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 86 PID 4312 wrote to memory of 1064 4312 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 86 PID 1064 wrote to memory of 1740 1064 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 89 PID 1064 wrote to memory of 1740 1064 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 89 PID 1064 wrote to memory of 1740 1064 e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe 89 PID 1740 wrote to memory of 4112 1740 igfxwp32.exe 92 PID 1740 wrote to memory of 4112 1740 igfxwp32.exe 92 PID 1740 wrote to memory of 4112 1740 igfxwp32.exe 92 PID 1740 wrote to memory of 4112 1740 igfxwp32.exe 92 PID 1740 wrote to memory of 4112 1740 igfxwp32.exe 92 PID 1740 wrote to memory of 4112 1740 igfxwp32.exe 92 PID 1740 wrote to memory of 4112 1740 igfxwp32.exe 92 PID 4112 wrote to memory of 4880 4112 igfxwp32.exe 94 PID 4112 wrote to memory of 4880 4112 igfxwp32.exe 94 PID 4112 wrote to memory of 4880 4112 igfxwp32.exe 94 PID 4880 wrote to memory of 4200 4880 igfxwp32.exe 97 PID 4880 wrote to memory of 4200 4880 igfxwp32.exe 97 PID 4880 wrote to memory of 4200 4880 igfxwp32.exe 97 PID 4880 wrote to memory of 4200 4880 igfxwp32.exe 97 PID 4880 wrote to memory of 4200 4880 igfxwp32.exe 97 PID 4880 wrote to memory of 4200 4880 igfxwp32.exe 97 PID 4880 wrote to memory of 4200 4880 igfxwp32.exe 97 PID 4200 wrote to memory of 3152 4200 igfxwp32.exe 98 PID 4200 wrote to memory of 3152 4200 igfxwp32.exe 98 PID 4200 wrote to memory of 3152 4200 igfxwp32.exe 98 PID 3152 wrote to memory of 3824 3152 igfxwp32.exe 99 PID 3152 wrote to memory of 3824 3152 igfxwp32.exe 99 PID 3152 wrote to memory of 3824 3152 igfxwp32.exe 99 PID 3152 wrote to memory of 3824 3152 igfxwp32.exe 99 PID 3152 wrote to memory of 3824 3152 igfxwp32.exe 99 PID 3152 wrote to memory of 3824 3152 igfxwp32.exe 99 PID 3152 wrote to memory of 3824 3152 igfxwp32.exe 99 PID 3824 wrote to memory of 4976 3824 igfxwp32.exe 100 PID 3824 wrote to memory of 4976 3824 igfxwp32.exe 100 PID 3824 wrote to memory of 4976 3824 igfxwp32.exe 100 PID 4976 wrote to memory of 3968 4976 igfxwp32.exe 101 PID 4976 wrote to memory of 3968 4976 igfxwp32.exe 101 PID 4976 wrote to memory of 3968 4976 igfxwp32.exe 101 PID 4976 wrote to memory of 3968 4976 igfxwp32.exe 101 PID 4976 wrote to memory of 3968 4976 igfxwp32.exe 101 PID 4976 wrote to memory of 3968 4976 igfxwp32.exe 101 PID 4976 wrote to memory of 3968 4976 igfxwp32.exe 101 PID 3968 wrote to memory of 1552 3968 igfxwp32.exe 102 PID 3968 wrote to memory of 1552 3968 igfxwp32.exe 102 PID 3968 wrote to memory of 1552 3968 igfxwp32.exe 102 PID 1552 wrote to memory of 4628 1552 igfxwp32.exe 103 PID 1552 wrote to memory of 4628 1552 igfxwp32.exe 103 PID 1552 wrote to memory of 4628 1552 igfxwp32.exe 103 PID 1552 wrote to memory of 4628 1552 igfxwp32.exe 103 PID 1552 wrote to memory of 4628 1552 igfxwp32.exe 103 PID 1552 wrote to memory of 4628 1552 igfxwp32.exe 103 PID 1552 wrote to memory of 4628 1552 igfxwp32.exe 103 PID 4628 wrote to memory of 2524 4628 igfxwp32.exe 104 PID 4628 wrote to memory of 2524 4628 igfxwp32.exe 104 PID 4628 wrote to memory of 2524 4628 igfxwp32.exe 104 PID 2524 wrote to memory of 4356 2524 igfxwp32.exe 105 PID 2524 wrote to memory of 4356 2524 igfxwp32.exe 105 PID 2524 wrote to memory of 4356 2524 igfxwp32.exe 105 PID 2524 wrote to memory of 4356 2524 igfxwp32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e09155cc0e772fe041bb674d031b6a73_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\E09155~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\E09155~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4356 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4232 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3744 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2948 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1152 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4912 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4184 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1952 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5112 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:224 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2012 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5092 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:100 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1684 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4836 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4620 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3620 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3308 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe46⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3812 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3640 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe54⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:312 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5104 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe58⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe60⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3252 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4204 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4768 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe64⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe66⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe67⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe68⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe69⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe70⤵PID:1632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5e09155cc0e772fe041bb674d031b6a73
SHA1ad5fcdc004d2e0cdf1008fb6226cec4e7c8ad16e
SHA256a1dd383e02eae90830a58562b26886ac2c61a6694ff7ef6f5b1edf0b46067892
SHA5125fbb4715d15a118afe8f08bd35720a44caa7e7a57c30abafa7e8c2a00a616b54b340d768a5ab5ceff0eb11eecc50002442769d5dc6db66f8fec2425ee7b9ee08