Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 13:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe
-
Size
244KB
-
MD5
8bb0de12653c79c491ccd88cbd4d9c38
-
SHA1
e0b1562e1f8846a7c3198d1490b1c275234d60bf
-
SHA256
ed9fd821b1dfadc00cf953619b290b0f8e2c4f49195c365129365130aa8f2453
-
SHA512
49c221a5afd5f6089cd9dea8a816a89f6b6df6eb79646c084f2811aaf971c94b07649e83404f9da03000f09533f490d07cb6c64dc795695db66666f206dc8144
-
SSDEEP
6144:ubNgxYPVpzzN8aYFrPAQk42rpptCjI5y+WFEpQQ:ubNg2VdyFpd2rntCjIVW
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 43 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
igfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exe8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation igfxdxr32.exe -
Deletes itself 1 IoCs
Processes:
igfxdxr32.exepid Process 1964 igfxdxr32.exe -
Executes dropped EXE 43 IoCs
Processes:
igfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exepid Process 1964 igfxdxr32.exe 2684 igfxdxr32.exe 1004 igfxdxr32.exe 4588 igfxdxr32.exe 4240 igfxdxr32.exe 1076 igfxdxr32.exe 1412 igfxdxr32.exe 4208 igfxdxr32.exe 4052 igfxdxr32.exe 2972 igfxdxr32.exe 1332 igfxdxr32.exe 1020 igfxdxr32.exe 3284 igfxdxr32.exe 2988 igfxdxr32.exe 2916 igfxdxr32.exe 4840 igfxdxr32.exe 4860 igfxdxr32.exe 1128 igfxdxr32.exe 1548 igfxdxr32.exe 2148 igfxdxr32.exe 2768 igfxdxr32.exe 1528 igfxdxr32.exe 3060 igfxdxr32.exe 4352 igfxdxr32.exe 2928 igfxdxr32.exe 3360 igfxdxr32.exe 5060 igfxdxr32.exe 408 igfxdxr32.exe 1972 igfxdxr32.exe 1364 igfxdxr32.exe 3668 igfxdxr32.exe 3544 igfxdxr32.exe 2144 igfxdxr32.exe 4856 igfxdxr32.exe 3336 igfxdxr32.exe 4124 igfxdxr32.exe 3592 igfxdxr32.exe 3040 igfxdxr32.exe 3284 igfxdxr32.exe 1132 igfxdxr32.exe 2204 igfxdxr32.exe 4796 igfxdxr32.exe 3596 igfxdxr32.exe -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
igfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exe8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdxr32.exe -
Drops file in System32 directory 64 IoCs
Processes:
igfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exe8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exedescription ioc Process File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\ igfxdxr32.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe File created C:\Windows\SysWOW64\igfxdxr32.exe 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxdxr32.exe igfxdxr32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 44 IoCs
Processes:
8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exepid Process 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1964 igfxdxr32.exe 2684 igfxdxr32.exe 1004 igfxdxr32.exe 4588 igfxdxr32.exe 4240 igfxdxr32.exe 1076 igfxdxr32.exe 1412 igfxdxr32.exe 4208 igfxdxr32.exe 4052 igfxdxr32.exe 2972 igfxdxr32.exe 1332 igfxdxr32.exe 1020 igfxdxr32.exe 3284 igfxdxr32.exe 2988 igfxdxr32.exe 2916 igfxdxr32.exe 4840 igfxdxr32.exe 4860 igfxdxr32.exe 1128 igfxdxr32.exe 1548 igfxdxr32.exe 2148 igfxdxr32.exe 2768 igfxdxr32.exe 1528 igfxdxr32.exe 3060 igfxdxr32.exe 4352 igfxdxr32.exe 2928 igfxdxr32.exe 3360 igfxdxr32.exe 5060 igfxdxr32.exe 408 igfxdxr32.exe 1972 igfxdxr32.exe 1364 igfxdxr32.exe 3668 igfxdxr32.exe 3544 igfxdxr32.exe 2144 igfxdxr32.exe 4856 igfxdxr32.exe 3336 igfxdxr32.exe 4124 igfxdxr32.exe 3592 igfxdxr32.exe 3040 igfxdxr32.exe 3284 igfxdxr32.exe 1132 igfxdxr32.exe 2204 igfxdxr32.exe 4796 igfxdxr32.exe 3596 igfxdxr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
igfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exe8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdxr32.exe -
Modifies registry class 43 IoCs
Processes:
igfxdxr32.exeigfxdxr32.exe8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdxr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exeigfxdxr32.exepid Process 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe 1964 igfxdxr32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exeigfxdxr32.exedescription pid Process procid_target PID 1828 wrote to memory of 1964 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 89 PID 1828 wrote to memory of 1964 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 89 PID 1828 wrote to memory of 1964 1828 8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe 89 PID 1964 wrote to memory of 2684 1964 igfxdxr32.exe 92 PID 1964 wrote to memory of 2684 1964 igfxdxr32.exe 92 PID 1964 wrote to memory of 2684 1964 igfxdxr32.exe 92 PID 2684 wrote to memory of 1004 2684 igfxdxr32.exe 98 PID 2684 wrote to memory of 1004 2684 igfxdxr32.exe 98 PID 2684 wrote to memory of 1004 2684 igfxdxr32.exe 98 PID 1004 wrote to memory of 4588 1004 igfxdxr32.exe 100 PID 1004 wrote to memory of 4588 1004 igfxdxr32.exe 100 PID 1004 wrote to memory of 4588 1004 igfxdxr32.exe 100 PID 4588 wrote to memory of 4240 4588 igfxdxr32.exe 101 PID 4588 wrote to memory of 4240 4588 igfxdxr32.exe 101 PID 4588 wrote to memory of 4240 4588 igfxdxr32.exe 101 PID 4240 wrote to memory of 1076 4240 igfxdxr32.exe 102 PID 4240 wrote to memory of 1076 4240 igfxdxr32.exe 102 PID 4240 wrote to memory of 1076 4240 igfxdxr32.exe 102 PID 1076 wrote to memory of 1412 1076 igfxdxr32.exe 103 PID 1076 wrote to memory of 1412 1076 igfxdxr32.exe 103 PID 1076 wrote to memory of 1412 1076 igfxdxr32.exe 103 PID 1412 wrote to memory of 4208 1412 igfxdxr32.exe 104 PID 1412 wrote to memory of 4208 1412 igfxdxr32.exe 104 PID 1412 wrote to memory of 4208 1412 igfxdxr32.exe 104 PID 4208 wrote to memory of 4052 4208 igfxdxr32.exe 107 PID 4208 wrote to memory of 4052 4208 igfxdxr32.exe 107 PID 4208 wrote to memory of 4052 4208 igfxdxr32.exe 107 PID 4052 wrote to memory of 2972 4052 igfxdxr32.exe 108 PID 4052 wrote to memory of 2972 4052 igfxdxr32.exe 108 PID 4052 wrote to memory of 2972 4052 igfxdxr32.exe 108 PID 2972 wrote to memory of 1332 2972 igfxdxr32.exe 111 PID 2972 wrote to memory of 1332 2972 igfxdxr32.exe 111 PID 2972 wrote to memory of 1332 2972 igfxdxr32.exe 111 PID 1332 wrote to memory of 1020 1332 igfxdxr32.exe 112 PID 1332 wrote to memory of 1020 1332 igfxdxr32.exe 112 PID 1332 wrote to memory of 1020 1332 igfxdxr32.exe 112 PID 1020 wrote to memory of 3284 1020 igfxdxr32.exe 113 PID 1020 wrote to memory of 3284 1020 igfxdxr32.exe 113 PID 1020 wrote to memory of 3284 1020 igfxdxr32.exe 113 PID 3284 wrote to memory of 2988 3284 igfxdxr32.exe 114 PID 3284 wrote to memory of 2988 3284 igfxdxr32.exe 114 PID 3284 wrote to memory of 2988 3284 igfxdxr32.exe 114 PID 2988 wrote to memory of 2916 2988 igfxdxr32.exe 115 PID 2988 wrote to memory of 2916 2988 igfxdxr32.exe 115 PID 2988 wrote to memory of 2916 2988 igfxdxr32.exe 115 PID 2916 wrote to memory of 4840 2916 igfxdxr32.exe 116 PID 2916 wrote to memory of 4840 2916 igfxdxr32.exe 116 PID 2916 wrote to memory of 4840 2916 igfxdxr32.exe 116 PID 4840 wrote to memory of 4860 4840 igfxdxr32.exe 117 PID 4840 wrote to memory of 4860 4840 igfxdxr32.exe 117 PID 4840 wrote to memory of 4860 4840 igfxdxr32.exe 117 PID 4860 wrote to memory of 1128 4860 igfxdxr32.exe 118 PID 4860 wrote to memory of 1128 4860 igfxdxr32.exe 118 PID 4860 wrote to memory of 1128 4860 igfxdxr32.exe 118 PID 1128 wrote to memory of 1548 1128 igfxdxr32.exe 119 PID 1128 wrote to memory of 1548 1128 igfxdxr32.exe 119 PID 1128 wrote to memory of 1548 1128 igfxdxr32.exe 119 PID 1548 wrote to memory of 2148 1548 igfxdxr32.exe 121 PID 1548 wrote to memory of 2148 1548 igfxdxr32.exe 121 PID 1548 wrote to memory of 2148 1548 igfxdxr32.exe 121 PID 2148 wrote to memory of 2768 2148 igfxdxr32.exe 122 PID 2148 wrote to memory of 2768 2148 igfxdxr32.exe 122 PID 2148 wrote to memory of 2768 2148 igfxdxr32.exe 122 PID 2768 wrote to memory of 1528 2768 igfxdxr32.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8bb0de12653c79c491ccd88cbd4d9c38_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Users\Admin\AppData\Local\Temp\8BB0DE~1.EXE2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE3⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE4⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE5⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE7⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE9⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE11⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE13⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE15⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE17⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE19⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE21⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE23⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE25⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4352 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE27⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3360 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE29⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE31⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE33⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE35⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3336 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE37⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4124 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE39⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE41⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE43⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\igfxdxr32.exe"C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE44⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244KB
MD58bb0de12653c79c491ccd88cbd4d9c38
SHA1e0b1562e1f8846a7c3198d1490b1c275234d60bf
SHA256ed9fd821b1dfadc00cf953619b290b0f8e2c4f49195c365129365130aa8f2453
SHA51249c221a5afd5f6089cd9dea8a816a89f6b6df6eb79646c084f2811aaf971c94b07649e83404f9da03000f09533f490d07cb6c64dc795695db66666f206dc8144
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e