metasploit | 771e11a0254f407da8eb855cb85ae357f4255f7b41e27bc28e9dcd835bff7faa

Analysis

max time kernel
148s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
Size

288KB
MD5

f25e1718c46759c9efc5a3b762817afc
SHA1

e6beda436c6de39ad14442f7a0d1147860044771
SHA256

771e11a0254f407da8eb855cb85ae357f4255f7b41e27bc28e9dcd835bff7faa
SHA512

e7c12cc54845e3d22ba260be4fa204cc6f3b064b36322a5dc1d95f9026f755c89698de3bd5d9bd9ae50ed05e61edc45ad837d878f3bad51b407d5526e70bf888
SSDEEP

3072:Mfd77aJDLiX0ZxUzilNt+Z4QTEKt6pt736NDNy3SagNoXMOoIPME58a:ghGJU0Zx6dEKO6FNyvgNwlPME5R

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	intelgfx32.exe

Deletes itself 1 IoCs

pid	Process
4660	intelgfx32.exe

Executes dropped EXE 41 IoCs

pid	Process
1884	intelgfx32.exe
4660	intelgfx32.exe
528	intelgfx32.exe
1560	intelgfx32.exe
1952	intelgfx32.exe
3812	intelgfx32.exe
2376	intelgfx32.exe
3560	intelgfx32.exe
2644	intelgfx32.exe
4376	intelgfx32.exe
3252	intelgfx32.exe
4748	intelgfx32.exe
2084	intelgfx32.exe
1876	intelgfx32.exe
4976	intelgfx32.exe
1736	intelgfx32.exe
2232	intelgfx32.exe
3904	intelgfx32.exe
1284	intelgfx32.exe
1228	intelgfx32.exe
1944	intelgfx32.exe
4584	intelgfx32.exe
2664	intelgfx32.exe
1104	intelgfx32.exe
3164	intelgfx32.exe
2948	intelgfx32.exe
1992	intelgfx32.exe
3948	intelgfx32.exe
4028	intelgfx32.exe
2888	intelgfx32.exe
4180	intelgfx32.exe
2068	intelgfx32.exe
4344	intelgfx32.exe
2056	intelgfx32.exe
1712	intelgfx32.exe
4472	intelgfx32.exe
1520	intelgfx32.exe
400	intelgfx32.exe
4556	intelgfx32.exe
2804	intelgfx32.exe
3852	intelgfx32.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4436-0-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4436-2-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4436-3-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4436-4-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4436-38-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4660-43-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4660-44-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4660-45-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4660-46-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1560-54-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1560-56-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3812-63-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3560-70-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4376-78-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4748-85-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1876-93-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1736-100-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3904-108-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1228-117-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4584-124-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1104-133-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2948-141-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3948-149-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2888-157-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2068-166-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2056-174-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4472-182-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/400-190-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2804-198-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 42 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 4196 set thread context of 4436	4196	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe	86
PID 1884 set thread context of 4660	1884	intelgfx32.exe	91
PID 528 set thread context of 1560	528	intelgfx32.exe	93
PID 1952 set thread context of 3812	1952	intelgfx32.exe	95
PID 2376 set thread context of 3560	2376	intelgfx32.exe	98
PID 2644 set thread context of 4376	2644	intelgfx32.exe	101
PID 3252 set thread context of 4748	3252	intelgfx32.exe	103
PID 2084 set thread context of 1876	2084	intelgfx32.exe	105
PID 4976 set thread context of 1736	4976	intelgfx32.exe	107
PID 2232 set thread context of 3904	2232	intelgfx32.exe	109
PID 1284 set thread context of 1228	1284	intelgfx32.exe	111
PID 1944 set thread context of 4584	1944	intelgfx32.exe	113
PID 2664 set thread context of 1104	2664	intelgfx32.exe	115
PID 3164 set thread context of 2948	3164	intelgfx32.exe	117
PID 1992 set thread context of 3948	1992	intelgfx32.exe	119
PID 4028 set thread context of 2888	4028	intelgfx32.exe	121
PID 4180 set thread context of 2068	4180	intelgfx32.exe	123
PID 4344 set thread context of 2056	4344	intelgfx32.exe	125
PID 1712 set thread context of 4472	1712	intelgfx32.exe	127
PID 1520 set thread context of 400	1520	intelgfx32.exe	129
PID 4556 set thread context of 2804	4556	intelgfx32.exe	131

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4436	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
4436	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
4436	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
4436	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
4660	intelgfx32.exe
4660	intelgfx32.exe
4660	intelgfx32.exe
4660	intelgfx32.exe
1560	intelgfx32.exe
1560	intelgfx32.exe
1560	intelgfx32.exe
1560	intelgfx32.exe
3812	intelgfx32.exe
3812	intelgfx32.exe
3812	intelgfx32.exe
3812	intelgfx32.exe
3560	intelgfx32.exe
3560	intelgfx32.exe
3560	intelgfx32.exe
3560	intelgfx32.exe
4376	intelgfx32.exe
4376	intelgfx32.exe
4376	intelgfx32.exe
4376	intelgfx32.exe
4748	intelgfx32.exe
4748	intelgfx32.exe
4748	intelgfx32.exe
4748	intelgfx32.exe
1876	intelgfx32.exe
1876	intelgfx32.exe
1876	intelgfx32.exe
1876	intelgfx32.exe
1736	intelgfx32.exe
1736	intelgfx32.exe
1736	intelgfx32.exe
1736	intelgfx32.exe
3904	intelgfx32.exe
3904	intelgfx32.exe
3904	intelgfx32.exe
3904	intelgfx32.exe
1228	intelgfx32.exe
1228	intelgfx32.exe
1228	intelgfx32.exe
1228	intelgfx32.exe
4584	intelgfx32.exe
4584	intelgfx32.exe
4584	intelgfx32.exe
4584	intelgfx32.exe
1104	intelgfx32.exe
1104	intelgfx32.exe
1104	intelgfx32.exe
1104	intelgfx32.exe
2948	intelgfx32.exe
2948	intelgfx32.exe
2948	intelgfx32.exe
2948	intelgfx32.exe
3948	intelgfx32.exe
3948	intelgfx32.exe
3948	intelgfx32.exe
3948	intelgfx32.exe
2888	intelgfx32.exe
2888	intelgfx32.exe
2888	intelgfx32.exe
2888	intelgfx32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 4436	4196	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe	86
PID 4196 wrote to memory of 4436	4196	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe	86
PID 4196 wrote to memory of 4436	4196	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe	86
PID 4196 wrote to memory of 4436	4196	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe	86
PID 4196 wrote to memory of 4436	4196	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe	86
PID 4196 wrote to memory of 4436	4196	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe	86
PID 4196 wrote to memory of 4436	4196	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe	86
PID 4436 wrote to memory of 1884	4436	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe	88
PID 4436 wrote to memory of 1884	4436	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe	88
PID 4436 wrote to memory of 1884	4436	f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe	88
PID 1884 wrote to memory of 4660	1884	intelgfx32.exe	91
PID 1884 wrote to memory of 4660	1884	intelgfx32.exe	91
PID 1884 wrote to memory of 4660	1884	intelgfx32.exe	91
PID 1884 wrote to memory of 4660	1884	intelgfx32.exe	91
PID 1884 wrote to memory of 4660	1884	intelgfx32.exe	91
PID 1884 wrote to memory of 4660	1884	intelgfx32.exe	91
PID 1884 wrote to memory of 4660	1884	intelgfx32.exe	91
PID 4660 wrote to memory of 528	4660	intelgfx32.exe	92
PID 4660 wrote to memory of 528	4660	intelgfx32.exe	92
PID 4660 wrote to memory of 528	4660	intelgfx32.exe	92
PID 528 wrote to memory of 1560	528	intelgfx32.exe	93
PID 528 wrote to memory of 1560	528	intelgfx32.exe	93
PID 528 wrote to memory of 1560	528	intelgfx32.exe	93
PID 528 wrote to memory of 1560	528	intelgfx32.exe	93
PID 528 wrote to memory of 1560	528	intelgfx32.exe	93
PID 528 wrote to memory of 1560	528	intelgfx32.exe	93
PID 528 wrote to memory of 1560	528	intelgfx32.exe	93
PID 1560 wrote to memory of 1952	1560	intelgfx32.exe	94
PID 1560 wrote to memory of 1952	1560	intelgfx32.exe	94
PID 1560 wrote to memory of 1952	1560	intelgfx32.exe	94
PID 1952 wrote to memory of 3812	1952	intelgfx32.exe	95
PID 1952 wrote to memory of 3812	1952	intelgfx32.exe	95
PID 1952 wrote to memory of 3812	1952	intelgfx32.exe	95
PID 1952 wrote to memory of 3812	1952	intelgfx32.exe	95
PID 1952 wrote to memory of 3812	1952	intelgfx32.exe	95
PID 1952 wrote to memory of 3812	1952	intelgfx32.exe	95
PID 1952 wrote to memory of 3812	1952	intelgfx32.exe	95
PID 3812 wrote to memory of 2376	3812	intelgfx32.exe	96
PID 3812 wrote to memory of 2376	3812	intelgfx32.exe	96
PID 3812 wrote to memory of 2376	3812	intelgfx32.exe	96
PID 2376 wrote to memory of 3560	2376	intelgfx32.exe	98
PID 2376 wrote to memory of 3560	2376	intelgfx32.exe	98
PID 2376 wrote to memory of 3560	2376	intelgfx32.exe	98
PID 2376 wrote to memory of 3560	2376	intelgfx32.exe	98
PID 2376 wrote to memory of 3560	2376	intelgfx32.exe	98
PID 2376 wrote to memory of 3560	2376	intelgfx32.exe	98
PID 2376 wrote to memory of 3560	2376	intelgfx32.exe	98
PID 3560 wrote to memory of 2644	3560	intelgfx32.exe	100
PID 3560 wrote to memory of 2644	3560	intelgfx32.exe	100
PID 3560 wrote to memory of 2644	3560	intelgfx32.exe	100
PID 2644 wrote to memory of 4376	2644	intelgfx32.exe	101
PID 2644 wrote to memory of 4376	2644	intelgfx32.exe	101
PID 2644 wrote to memory of 4376	2644	intelgfx32.exe	101
PID 2644 wrote to memory of 4376	2644	intelgfx32.exe	101
PID 2644 wrote to memory of 4376	2644	intelgfx32.exe	101
PID 2644 wrote to memory of 4376	2644	intelgfx32.exe	101
PID 2644 wrote to memory of 4376	2644	intelgfx32.exe	101
PID 4376 wrote to memory of 3252	4376	intelgfx32.exe	102
PID 4376 wrote to memory of 3252	4376	intelgfx32.exe	102
PID 4376 wrote to memory of 3252	4376	intelgfx32.exe	102
PID 3252 wrote to memory of 4748	3252	intelgfx32.exe	103
PID 3252 wrote to memory of 4748	3252	intelgfx32.exe	103
PID 3252 wrote to memory of 4748	3252	intelgfx32.exe	103
PID 3252 wrote to memory of 4748	3252	intelgfx32.exe	103

C:\Users\Admin\AppData\Local\Temp\f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f25e1718c46759c9efc5a3b762817afc_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\intelgfx32.exe
    "C:\Windows\system32\intelgfx32.exe" C:\Users\Admin\AppData\Local\Temp\F25E17~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\SysWOW64\intelgfx32.exe
      "C:\Windows\system32\intelgfx32.exe" C:\Users\Admin\AppData\Local\Temp\F25E17~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:528
      - C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4748
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3904
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1228
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4584
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1104
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3948
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        43⤵
        Executes dropped EXE
        
        PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\intelgfx32.exe

Filesize
288KB

MD5
f25e1718c46759c9efc5a3b762817afc

SHA1
e6beda436c6de39ad14442f7a0d1147860044771

SHA256
771e11a0254f407da8eb855cb85ae357f4255f7b41e27bc28e9dcd835bff7faa

SHA512
e7c12cc54845e3d22ba260be4fa204cc6f3b064b36322a5dc1d95f9026f755c89698de3bd5d9bd9ae50ed05e61edc45ad837d878f3bad51b407d5526e70bf888

Download Submit
memory/400-190-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1104-133-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1228-117-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1560-56-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1560-54-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1736-100-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1876-93-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2056-174-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2068-166-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2804-198-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2888-157-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2948-141-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3560-70-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3812-63-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3904-108-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3948-149-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4376-78-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4436-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4436-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4436-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4436-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4436-38-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4472-182-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4584-124-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4660-46-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4660-45-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4660-44-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4660-43-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4748-85-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download