Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 01:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe
-
Size
170KB
-
MD5
8e6dc479f409c8f54869ec7d4378bfc7
-
SHA1
16cab39b39712217515f845e72de4f211722ef5e
-
SHA256
9f69504cc933d99732379b6e814736c96232017c4327b80d8c4c88a5ab5bdacf
-
SHA512
bf343f41573d79a6a8817c9c346206039400af92cc469e2350350ef58062cd7fe3cf583b808f95fc8b3baed8a8d8ed4c7ae6fce578acb8387fc2cfcd813594e3
-
SSDEEP
3072:/2UPT6y+x9vjc6gA3SdQCvdOsg0Dd9NddhrEO81fJWWwi9:NTa9vjDgWS5dDrRrE9foQ
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
igfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exe8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation igfxwl32.exe -
Deletes itself 1 IoCs
Processes:
igfxwl32.exepid Process 3708 igfxwl32.exe -
Executes dropped EXE 31 IoCs
Processes:
igfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exepid Process 1996 igfxwl32.exe 3708 igfxwl32.exe 4912 igfxwl32.exe 3700 igfxwl32.exe 696 igfxwl32.exe 2356 igfxwl32.exe 5052 igfxwl32.exe 4636 igfxwl32.exe 2796 igfxwl32.exe 3864 igfxwl32.exe 3648 igfxwl32.exe 4388 igfxwl32.exe 4612 igfxwl32.exe 1032 igfxwl32.exe 4348 igfxwl32.exe 4088 igfxwl32.exe 2864 igfxwl32.exe 1888 igfxwl32.exe 116 igfxwl32.exe 3308 igfxwl32.exe 4516 igfxwl32.exe 4992 igfxwl32.exe 4484 igfxwl32.exe 2576 igfxwl32.exe 4916 igfxwl32.exe 368 igfxwl32.exe 5064 igfxwl32.exe 4932 igfxwl32.exe 1968 igfxwl32.exe 1436 igfxwl32.exe 3232 igfxwl32.exe -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
igfxwl32.exeigfxwl32.exeigfxwl32.exe8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe -
Drops file in System32 directory 45 IoCs
Processes:
igfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exe8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe -
Suspicious use of SetThreadContext 16 IoCs
Processes:
8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exedescription pid Process procid_target PID 4448 set thread context of 1268 4448 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 91 PID 1996 set thread context of 3708 1996 igfxwl32.exe 99 PID 4912 set thread context of 3700 4912 igfxwl32.exe 101 PID 696 set thread context of 2356 696 igfxwl32.exe 107 PID 5052 set thread context of 4636 5052 igfxwl32.exe 109 PID 2796 set thread context of 3864 2796 igfxwl32.exe 111 PID 3648 set thread context of 4388 3648 igfxwl32.exe 113 PID 4612 set thread context of 1032 4612 igfxwl32.exe 116 PID 4348 set thread context of 4088 4348 igfxwl32.exe 118 PID 2864 set thread context of 1888 2864 igfxwl32.exe 120 PID 116 set thread context of 3308 116 igfxwl32.exe 124 PID 4516 set thread context of 4992 4516 igfxwl32.exe 132 PID 4484 set thread context of 2576 4484 igfxwl32.exe 134 PID 4916 set thread context of 368 4916 igfxwl32.exe 136 PID 5064 set thread context of 4932 5064 igfxwl32.exe 141 PID 1968 set thread context of 1436 1968 igfxwl32.exe 143 -
Processes:
resource yara_rule behavioral2/memory/1268-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1268-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1268-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1268-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1268-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3708-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3708-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3708-48-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3700-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2356-61-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4636-71-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3864-76-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4388-85-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1032-92-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4088-99-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1888-105-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3308-111-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4992-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2576-125-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/368-135-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4932-143-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1436-151-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
igfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exe8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exeigfxwl32.exeigfxwl32.exeigfxwl32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe -
Modifies registry class 16 IoCs
Processes:
igfxwl32.exe8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exepid Process 4448 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 4448 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 1268 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 1268 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 1268 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 1268 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 1996 igfxwl32.exe 1996 igfxwl32.exe 3708 igfxwl32.exe 3708 igfxwl32.exe 3708 igfxwl32.exe 3708 igfxwl32.exe 4912 igfxwl32.exe 4912 igfxwl32.exe 3700 igfxwl32.exe 3700 igfxwl32.exe 3700 igfxwl32.exe 3700 igfxwl32.exe 696 igfxwl32.exe 696 igfxwl32.exe 2356 igfxwl32.exe 2356 igfxwl32.exe 2356 igfxwl32.exe 2356 igfxwl32.exe 5052 igfxwl32.exe 5052 igfxwl32.exe 4636 igfxwl32.exe 4636 igfxwl32.exe 4636 igfxwl32.exe 4636 igfxwl32.exe 2796 igfxwl32.exe 2796 igfxwl32.exe 3864 igfxwl32.exe 3864 igfxwl32.exe 3864 igfxwl32.exe 3864 igfxwl32.exe 3648 igfxwl32.exe 3648 igfxwl32.exe 4388 igfxwl32.exe 4388 igfxwl32.exe 4388 igfxwl32.exe 4388 igfxwl32.exe 4612 igfxwl32.exe 4612 igfxwl32.exe 1032 igfxwl32.exe 1032 igfxwl32.exe 1032 igfxwl32.exe 1032 igfxwl32.exe 4348 igfxwl32.exe 4348 igfxwl32.exe 4088 igfxwl32.exe 4088 igfxwl32.exe 4088 igfxwl32.exe 4088 igfxwl32.exe 2864 igfxwl32.exe 2864 igfxwl32.exe 1888 igfxwl32.exe 1888 igfxwl32.exe 1888 igfxwl32.exe 1888 igfxwl32.exe 116 igfxwl32.exe 116 igfxwl32.exe 4516 igfxwl32.exe 4516 igfxwl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exeigfxwl32.exedescription pid Process procid_target PID 4448 wrote to memory of 1268 4448 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 91 PID 4448 wrote to memory of 1268 4448 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 91 PID 4448 wrote to memory of 1268 4448 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 91 PID 4448 wrote to memory of 1268 4448 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 91 PID 4448 wrote to memory of 1268 4448 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 91 PID 4448 wrote to memory of 1268 4448 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 91 PID 4448 wrote to memory of 1268 4448 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 91 PID 1268 wrote to memory of 1996 1268 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 94 PID 1268 wrote to memory of 1996 1268 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 94 PID 1268 wrote to memory of 1996 1268 8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe 94 PID 1996 wrote to memory of 3708 1996 igfxwl32.exe 99 PID 1996 wrote to memory of 3708 1996 igfxwl32.exe 99 PID 1996 wrote to memory of 3708 1996 igfxwl32.exe 99 PID 1996 wrote to memory of 3708 1996 igfxwl32.exe 99 PID 1996 wrote to memory of 3708 1996 igfxwl32.exe 99 PID 1996 wrote to memory of 3708 1996 igfxwl32.exe 99 PID 1996 wrote to memory of 3708 1996 igfxwl32.exe 99 PID 3708 wrote to memory of 4912 3708 igfxwl32.exe 100 PID 3708 wrote to memory of 4912 3708 igfxwl32.exe 100 PID 3708 wrote to memory of 4912 3708 igfxwl32.exe 100 PID 4912 wrote to memory of 3700 4912 igfxwl32.exe 101 PID 4912 wrote to memory of 3700 4912 igfxwl32.exe 101 PID 4912 wrote to memory of 3700 4912 igfxwl32.exe 101 PID 4912 wrote to memory of 3700 4912 igfxwl32.exe 101 PID 4912 wrote to memory of 3700 4912 igfxwl32.exe 101 PID 4912 wrote to memory of 3700 4912 igfxwl32.exe 101 PID 4912 wrote to memory of 3700 4912 igfxwl32.exe 101 PID 3700 wrote to memory of 696 3700 igfxwl32.exe 104 PID 3700 wrote to memory of 696 3700 igfxwl32.exe 104 PID 3700 wrote to memory of 696 3700 igfxwl32.exe 104 PID 696 wrote to memory of 2356 696 igfxwl32.exe 107 PID 696 wrote to memory of 2356 696 igfxwl32.exe 107 PID 696 wrote to memory of 2356 696 igfxwl32.exe 107 PID 696 wrote to memory of 2356 696 igfxwl32.exe 107 PID 696 wrote to memory of 2356 696 igfxwl32.exe 107 PID 696 wrote to memory of 2356 696 igfxwl32.exe 107 PID 696 wrote to memory of 2356 696 igfxwl32.exe 107 PID 2356 wrote to memory of 5052 2356 igfxwl32.exe 108 PID 2356 wrote to memory of 5052 2356 igfxwl32.exe 108 PID 2356 wrote to memory of 5052 2356 igfxwl32.exe 108 PID 5052 wrote to memory of 4636 5052 igfxwl32.exe 109 PID 5052 wrote to memory of 4636 5052 igfxwl32.exe 109 PID 5052 wrote to memory of 4636 5052 igfxwl32.exe 109 PID 5052 wrote to memory of 4636 5052 igfxwl32.exe 109 PID 5052 wrote to memory of 4636 5052 igfxwl32.exe 109 PID 5052 wrote to memory of 4636 5052 igfxwl32.exe 109 PID 5052 wrote to memory of 4636 5052 igfxwl32.exe 109 PID 4636 wrote to memory of 2796 4636 igfxwl32.exe 110 PID 4636 wrote to memory of 2796 4636 igfxwl32.exe 110 PID 4636 wrote to memory of 2796 4636 igfxwl32.exe 110 PID 2796 wrote to memory of 3864 2796 igfxwl32.exe 111 PID 2796 wrote to memory of 3864 2796 igfxwl32.exe 111 PID 2796 wrote to memory of 3864 2796 igfxwl32.exe 111 PID 2796 wrote to memory of 3864 2796 igfxwl32.exe 111 PID 2796 wrote to memory of 3864 2796 igfxwl32.exe 111 PID 2796 wrote to memory of 3864 2796 igfxwl32.exe 111 PID 2796 wrote to memory of 3864 2796 igfxwl32.exe 111 PID 3864 wrote to memory of 3648 3864 igfxwl32.exe 112 PID 3864 wrote to memory of 3648 3864 igfxwl32.exe 112 PID 3864 wrote to memory of 3648 3864 igfxwl32.exe 112 PID 3648 wrote to memory of 4388 3648 igfxwl32.exe 113 PID 3648 wrote to memory of 4388 3648 igfxwl32.exe 113 PID 3648 wrote to memory of 4388 3648 igfxwl32.exe 113 PID 3648 wrote to memory of 4388 3648 igfxwl32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e6dc479f409c8f54869ec7d4378bfc7_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\8E6DC4~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\8E6DC4~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4388 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4612 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1032 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4348 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4088 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2864 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1888 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:116 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3308 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4516 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4916 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe33⤵
- Executes dropped EXE
PID:3232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD58e6dc479f409c8f54869ec7d4378bfc7
SHA116cab39b39712217515f845e72de4f211722ef5e
SHA2569f69504cc933d99732379b6e814736c96232017c4327b80d8c4c88a5ab5bdacf
SHA512bf343f41573d79a6a8817c9c346206039400af92cc469e2350350ef58062cd7fe3cf583b808f95fc8b3baed8a8d8ed4c7ae6fce578acb8387fc2cfcd813594e3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e