Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 13:04
Behavioral task
behavioral1
Sample
e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe
-
Size
203KB
-
MD5
e28b8f9d02d44890d09099f68b329914
-
SHA1
be447005c84a84cec99e9ba236e056d9277244d7
-
SHA256
9230440aec3a46b96805fee5641b42516dba51465c5306638d1d0924c07b6a55
-
SHA512
9c434a694920deb240ff0f3707a5705ff5c7d09aedf0a15cb9eefc51a6265dd41477011a44ce1621676b71af52d79d7378137c90476b7ca7cc375d439fc2333c
-
SSDEEP
3072:4PvBxdw7brTsht8nK2ZzaHWdTC1EFWmGwJlHk2S8McSGfJIzlgDz9EbbwWNIZKbf:l7bioK2ouTC6FewJlV7YHZIz9EwKS
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2764 igfxdkv32.exe -
Executes dropped EXE 46 IoCs
pid Process 2764 igfxdkv32.exe 2708 igfxdkv32.exe 2280 igfxdkv32.exe 1460 igfxdkv32.exe 2408 igfxdkv32.exe 1228 igfxdkv32.exe 1420 igfxdkv32.exe 1708 igfxdkv32.exe 1188 igfxdkv32.exe 2168 igfxdkv32.exe 2160 igfxdkv32.exe 2344 igfxdkv32.exe 2496 igfxdkv32.exe 1888 igfxdkv32.exe 328 igfxdkv32.exe 3036 igfxdkv32.exe 2144 igfxdkv32.exe 1932 igfxdkv32.exe 2016 igfxdkv32.exe 3028 igfxdkv32.exe 2696 igfxdkv32.exe 2960 igfxdkv32.exe 2352 igfxdkv32.exe 2376 igfxdkv32.exe 1416 igfxdkv32.exe 1232 igfxdkv32.exe 1228 igfxdkv32.exe 2508 igfxdkv32.exe 2292 igfxdkv32.exe 808 igfxdkv32.exe 2316 igfxdkv32.exe 1880 igfxdkv32.exe 2172 igfxdkv32.exe 2344 igfxdkv32.exe 2068 igfxdkv32.exe 1620 igfxdkv32.exe 1308 igfxdkv32.exe 2212 igfxdkv32.exe 2920 igfxdkv32.exe 288 igfxdkv32.exe 1704 igfxdkv32.exe 900 igfxdkv32.exe 1604 igfxdkv32.exe 1900 igfxdkv32.exe 3028 igfxdkv32.exe 2588 igfxdkv32.exe -
Loads dropped DLL 64 IoCs
pid Process 2632 e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe 2632 e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe 2764 igfxdkv32.exe 2764 igfxdkv32.exe 2708 igfxdkv32.exe 2708 igfxdkv32.exe 2280 igfxdkv32.exe 2280 igfxdkv32.exe 1460 igfxdkv32.exe 1460 igfxdkv32.exe 2408 igfxdkv32.exe 2408 igfxdkv32.exe 1228 igfxdkv32.exe 1228 igfxdkv32.exe 1420 igfxdkv32.exe 1420 igfxdkv32.exe 1708 igfxdkv32.exe 1708 igfxdkv32.exe 1188 igfxdkv32.exe 1188 igfxdkv32.exe 2168 igfxdkv32.exe 2168 igfxdkv32.exe 2160 igfxdkv32.exe 2160 igfxdkv32.exe 2344 igfxdkv32.exe 2344 igfxdkv32.exe 2496 igfxdkv32.exe 2496 igfxdkv32.exe 1888 igfxdkv32.exe 1888 igfxdkv32.exe 328 igfxdkv32.exe 328 igfxdkv32.exe 3036 igfxdkv32.exe 3036 igfxdkv32.exe 2144 igfxdkv32.exe 2144 igfxdkv32.exe 1932 igfxdkv32.exe 1932 igfxdkv32.exe 2016 igfxdkv32.exe 2016 igfxdkv32.exe 3028 igfxdkv32.exe 3028 igfxdkv32.exe 2696 igfxdkv32.exe 2696 igfxdkv32.exe 2960 igfxdkv32.exe 2960 igfxdkv32.exe 2352 igfxdkv32.exe 2352 igfxdkv32.exe 2376 igfxdkv32.exe 2376 igfxdkv32.exe 1416 igfxdkv32.exe 1416 igfxdkv32.exe 1232 igfxdkv32.exe 1232 igfxdkv32.exe 1228 igfxdkv32.exe 1228 igfxdkv32.exe 2508 igfxdkv32.exe 2508 igfxdkv32.exe 2292 igfxdkv32.exe 2292 igfxdkv32.exe 808 igfxdkv32.exe 808 igfxdkv32.exe 2316 igfxdkv32.exe 2316 igfxdkv32.exe -
resource yara_rule behavioral1/memory/2632-0-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2632-2-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/files/0x00080000000120fd-6.dat upx behavioral1/memory/2632-16-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2764-17-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2764-23-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2708-29-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2708-27-0x0000000003250000-0x00000000032DB000-memory.dmp upx behavioral1/memory/2280-35-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1460-33-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1460-39-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1228-47-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2408-46-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1228-51-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1420-58-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1708-62-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1188-64-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2168-71-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1188-70-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2168-75-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2160-81-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2344-83-0x0000000002A70000-0x0000000002AFB000-memory.dmp upx behavioral1/memory/2496-88-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2344-86-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2496-95-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/328-101-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1888-99-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/3036-107-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/328-106-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/3036-112-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1932-117-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2144-116-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1932-120-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1932-118-0x00000000032C0000-0x000000000334B000-memory.dmp upx behavioral1/memory/3028-123-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2016-122-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/3028-126-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2696-124-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2696-128-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2960-129-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2960-131-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2352-132-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2352-135-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2376-133-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2376-137-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1416-140-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1232-141-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1232-143-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1228-144-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2508-146-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1228-148-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2292-150-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2508-149-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2292-153-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/808-154-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/808-156-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2316-158-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1880-160-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2172-161-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2172-163-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2344-165-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2068-166-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/2068-168-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral1/memory/1308-171-0x0000000000400000-0x000000000048B000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkv32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe File created C:\Windows\SysWOW64\igfxdkv32.exe igfxdkv32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkv32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 47 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdkv32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2632 e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe 2632 e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe 2764 igfxdkv32.exe 2764 igfxdkv32.exe 2708 igfxdkv32.exe 2708 igfxdkv32.exe 2280 igfxdkv32.exe 2280 igfxdkv32.exe 1460 igfxdkv32.exe 1460 igfxdkv32.exe 2408 igfxdkv32.exe 2408 igfxdkv32.exe 1228 igfxdkv32.exe 1228 igfxdkv32.exe 1420 igfxdkv32.exe 1420 igfxdkv32.exe 1708 igfxdkv32.exe 1708 igfxdkv32.exe 1188 igfxdkv32.exe 1188 igfxdkv32.exe 2168 igfxdkv32.exe 2168 igfxdkv32.exe 2160 igfxdkv32.exe 2160 igfxdkv32.exe 2344 igfxdkv32.exe 2344 igfxdkv32.exe 2496 igfxdkv32.exe 2496 igfxdkv32.exe 1888 igfxdkv32.exe 1888 igfxdkv32.exe 328 igfxdkv32.exe 328 igfxdkv32.exe 3036 igfxdkv32.exe 3036 igfxdkv32.exe 2144 igfxdkv32.exe 2144 igfxdkv32.exe 1932 igfxdkv32.exe 1932 igfxdkv32.exe 2016 igfxdkv32.exe 2016 igfxdkv32.exe 3028 igfxdkv32.exe 3028 igfxdkv32.exe 2696 igfxdkv32.exe 2696 igfxdkv32.exe 2960 igfxdkv32.exe 2960 igfxdkv32.exe 2352 igfxdkv32.exe 2352 igfxdkv32.exe 2376 igfxdkv32.exe 2376 igfxdkv32.exe 1416 igfxdkv32.exe 1416 igfxdkv32.exe 1232 igfxdkv32.exe 1232 igfxdkv32.exe 1228 igfxdkv32.exe 1228 igfxdkv32.exe 2508 igfxdkv32.exe 2508 igfxdkv32.exe 2292 igfxdkv32.exe 2292 igfxdkv32.exe 808 igfxdkv32.exe 808 igfxdkv32.exe 2316 igfxdkv32.exe 2316 igfxdkv32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2764 2632 e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2764 2632 e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2764 2632 e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2764 2632 e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe 30 PID 2764 wrote to memory of 2708 2764 igfxdkv32.exe 31 PID 2764 wrote to memory of 2708 2764 igfxdkv32.exe 31 PID 2764 wrote to memory of 2708 2764 igfxdkv32.exe 31 PID 2764 wrote to memory of 2708 2764 igfxdkv32.exe 31 PID 2708 wrote to memory of 2280 2708 igfxdkv32.exe 32 PID 2708 wrote to memory of 2280 2708 igfxdkv32.exe 32 PID 2708 wrote to memory of 2280 2708 igfxdkv32.exe 32 PID 2708 wrote to memory of 2280 2708 igfxdkv32.exe 32 PID 2280 wrote to memory of 1460 2280 igfxdkv32.exe 33 PID 2280 wrote to memory of 1460 2280 igfxdkv32.exe 33 PID 2280 wrote to memory of 1460 2280 igfxdkv32.exe 33 PID 2280 wrote to memory of 1460 2280 igfxdkv32.exe 33 PID 1460 wrote to memory of 2408 1460 igfxdkv32.exe 34 PID 1460 wrote to memory of 2408 1460 igfxdkv32.exe 34 PID 1460 wrote to memory of 2408 1460 igfxdkv32.exe 34 PID 1460 wrote to memory of 2408 1460 igfxdkv32.exe 34 PID 2408 wrote to memory of 1228 2408 igfxdkv32.exe 35 PID 2408 wrote to memory of 1228 2408 igfxdkv32.exe 35 PID 2408 wrote to memory of 1228 2408 igfxdkv32.exe 35 PID 2408 wrote to memory of 1228 2408 igfxdkv32.exe 35 PID 1228 wrote to memory of 1420 1228 igfxdkv32.exe 36 PID 1228 wrote to memory of 1420 1228 igfxdkv32.exe 36 PID 1228 wrote to memory of 1420 1228 igfxdkv32.exe 36 PID 1228 wrote to memory of 1420 1228 igfxdkv32.exe 36 PID 1420 wrote to memory of 1708 1420 igfxdkv32.exe 37 PID 1420 wrote to memory of 1708 1420 igfxdkv32.exe 37 PID 1420 wrote to memory of 1708 1420 igfxdkv32.exe 37 PID 1420 wrote to memory of 1708 1420 igfxdkv32.exe 37 PID 1708 wrote to memory of 1188 1708 igfxdkv32.exe 38 PID 1708 wrote to memory of 1188 1708 igfxdkv32.exe 38 PID 1708 wrote to memory of 1188 1708 igfxdkv32.exe 38 PID 1708 wrote to memory of 1188 1708 igfxdkv32.exe 38 PID 1188 wrote to memory of 2168 1188 igfxdkv32.exe 39 PID 1188 wrote to memory of 2168 1188 igfxdkv32.exe 39 PID 1188 wrote to memory of 2168 1188 igfxdkv32.exe 39 PID 1188 wrote to memory of 2168 1188 igfxdkv32.exe 39 PID 2168 wrote to memory of 2160 2168 igfxdkv32.exe 40 PID 2168 wrote to memory of 2160 2168 igfxdkv32.exe 40 PID 2168 wrote to memory of 2160 2168 igfxdkv32.exe 40 PID 2168 wrote to memory of 2160 2168 igfxdkv32.exe 40 PID 2160 wrote to memory of 2344 2160 igfxdkv32.exe 41 PID 2160 wrote to memory of 2344 2160 igfxdkv32.exe 41 PID 2160 wrote to memory of 2344 2160 igfxdkv32.exe 41 PID 2160 wrote to memory of 2344 2160 igfxdkv32.exe 41 PID 2344 wrote to memory of 2496 2344 igfxdkv32.exe 42 PID 2344 wrote to memory of 2496 2344 igfxdkv32.exe 42 PID 2344 wrote to memory of 2496 2344 igfxdkv32.exe 42 PID 2344 wrote to memory of 2496 2344 igfxdkv32.exe 42 PID 2496 wrote to memory of 1888 2496 igfxdkv32.exe 43 PID 2496 wrote to memory of 1888 2496 igfxdkv32.exe 43 PID 2496 wrote to memory of 1888 2496 igfxdkv32.exe 43 PID 2496 wrote to memory of 1888 2496 igfxdkv32.exe 43 PID 1888 wrote to memory of 328 1888 igfxdkv32.exe 44 PID 1888 wrote to memory of 328 1888 igfxdkv32.exe 44 PID 1888 wrote to memory of 328 1888 igfxdkv32.exe 44 PID 1888 wrote to memory of 328 1888 igfxdkv32.exe 44 PID 328 wrote to memory of 3036 328 igfxdkv32.exe 45 PID 328 wrote to memory of 3036 328 igfxdkv32.exe 45 PID 328 wrote to memory of 3036 328 igfxdkv32.exe 45 PID 328 wrote to memory of 3036 328 igfxdkv32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e28b8f9d02d44890d09099f68b329914_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Users\Admin\AppData\Local\Temp\E28B8F~1.EXE2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE13⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE15⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE17⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3036 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE19⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1932 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2016 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE21⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3028 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2696 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE23⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2960 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2352 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE25⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2376 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1416 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1232 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1228 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE29⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2508 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2292 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE31⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:808 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2316 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE33⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE35⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE36⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE37⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE38⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE39⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE40⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE41⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE42⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE43⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE44⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE45⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE46⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\igfxdkv32.exe"C:\Windows\system32\igfxdkv32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE47⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
PID:2588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203KB
MD5e28b8f9d02d44890d09099f68b329914
SHA1be447005c84a84cec99e9ba236e056d9277244d7
SHA2569230440aec3a46b96805fee5641b42516dba51465c5306638d1d0924c07b6a55
SHA5129c434a694920deb240ff0f3707a5705ff5c7d09aedf0a15cb9eefc51a6265dd41477011a44ce1621676b71af52d79d7378137c90476b7ca7cc375d439fc2333c