metasploit | 1a36a167bda88e4d6fc041f1485aa6052faad870fc0d4969c6c4df40d023c053

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
Size

230KB
MD5

8f69bf18abeb7f6df4399ea9442b81ac
SHA1

ad3d2573709166484167deca2275305c345a573d
SHA256

1a36a167bda88e4d6fc041f1485aa6052faad870fc0d4969c6c4df40d023c053
SHA512

4a879875cd543f59d87ff12593eaef8a157b3b87ccb394e9a620aac84b5d784746e9bf2304a9824538f92781411fd4a99e75370fe9268ba49131e9212dad7361
SSDEEP

6144:0JHxEXVvbwEnJl8hB0TTfQLc41dS62os5a7rK2Y96b:WHx6FbtJWhuTqjS8YaXK2Ykb

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2512	igfxdpc32.exe

Executes dropped EXE 49 IoCs

pid	Process
2512	igfxdpc32.exe
2716	igfxdpc32.exe
2864	igfxdpc32.exe
2640	igfxdpc32.exe
3004	igfxdpc32.exe
236	igfxdpc32.exe
1880	igfxdpc32.exe
1912	igfxdpc32.exe
2016	igfxdpc32.exe
2684	igfxdpc32.exe
2476	igfxdpc32.exe
2036	igfxdpc32.exe
2392	igfxdpc32.exe
2952	igfxdpc32.exe
1632	igfxdpc32.exe
2532	igfxdpc32.exe
876	igfxdpc32.exe
2456	igfxdpc32.exe
1492	igfxdpc32.exe
2180	igfxdpc32.exe
2820	igfxdpc32.exe
2792	igfxdpc32.exe
2232	igfxdpc32.exe
2600	igfxdpc32.exe
2744	igfxdpc32.exe
1480	igfxdpc32.exe
1884	igfxdpc32.exe
1292	igfxdpc32.exe
2040	igfxdpc32.exe
2892	igfxdpc32.exe
2436	igfxdpc32.exe
2104	igfxdpc32.exe
468	igfxdpc32.exe
1296	igfxdpc32.exe
1748	igfxdpc32.exe
1396	igfxdpc32.exe
344	igfxdpc32.exe
1268	igfxdpc32.exe
2664	igfxdpc32.exe
868	igfxdpc32.exe
2148	igfxdpc32.exe
2068	igfxdpc32.exe
2512	igfxdpc32.exe
928	igfxdpc32.exe
2792	igfxdpc32.exe
2724	igfxdpc32.exe
2628	igfxdpc32.exe
2600	igfxdpc32.exe
2744	igfxdpc32.exe

Loads dropped DLL 64 IoCs

pid	Process
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2640	igfxdpc32.exe
2640	igfxdpc32.exe
3004	igfxdpc32.exe
3004	igfxdpc32.exe
236	igfxdpc32.exe
236	igfxdpc32.exe
1880	igfxdpc32.exe
1880	igfxdpc32.exe
1912	igfxdpc32.exe
1912	igfxdpc32.exe
2016	igfxdpc32.exe
2016	igfxdpc32.exe
2684	igfxdpc32.exe
2684	igfxdpc32.exe
2476	igfxdpc32.exe
2476	igfxdpc32.exe
2036	igfxdpc32.exe
2036	igfxdpc32.exe
2392	igfxdpc32.exe
2392	igfxdpc32.exe
2952	igfxdpc32.exe
2952	igfxdpc32.exe
1632	igfxdpc32.exe
1632	igfxdpc32.exe
2532	igfxdpc32.exe
2532	igfxdpc32.exe
876	igfxdpc32.exe
876	igfxdpc32.exe
2456	igfxdpc32.exe
2456	igfxdpc32.exe
1492	igfxdpc32.exe
1492	igfxdpc32.exe
2180	igfxdpc32.exe
2180	igfxdpc32.exe
2820	igfxdpc32.exe
2820	igfxdpc32.exe
2792	igfxdpc32.exe
2792	igfxdpc32.exe
2232	igfxdpc32.exe
2232	igfxdpc32.exe
2600	igfxdpc32.exe
2600	igfxdpc32.exe
2744	igfxdpc32.exe
2744	igfxdpc32.exe
1480	igfxdpc32.exe
1480	igfxdpc32.exe
1884	igfxdpc32.exe
1884	igfxdpc32.exe
1292	igfxdpc32.exe
1292	igfxdpc32.exe
2040	igfxdpc32.exe
2040	igfxdpc32.exe
2892	igfxdpc32.exe
2892	igfxdpc32.exe
2436	igfxdpc32.exe
2436	igfxdpc32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdpc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdpc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe
File created	C:\Windows\SysWOW64\igfxdpc32.exe	igfxdpc32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdpc32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2512	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2716	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe
2864	igfxdpc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2512	1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe	30
PID 1520 wrote to memory of 2512	1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe	30
PID 1520 wrote to memory of 2512	1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe	30
PID 1520 wrote to memory of 2512	1520	8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2716	2512	igfxdpc32.exe	31
PID 2512 wrote to memory of 2716	2512	igfxdpc32.exe	31
PID 2512 wrote to memory of 2716	2512	igfxdpc32.exe	31
PID 2512 wrote to memory of 2716	2512	igfxdpc32.exe	31
PID 2716 wrote to memory of 2864	2716	igfxdpc32.exe	33
PID 2716 wrote to memory of 2864	2716	igfxdpc32.exe	33
PID 2716 wrote to memory of 2864	2716	igfxdpc32.exe	33
PID 2716 wrote to memory of 2864	2716	igfxdpc32.exe	33
PID 2864 wrote to memory of 2640	2864	igfxdpc32.exe	34
PID 2864 wrote to memory of 2640	2864	igfxdpc32.exe	34
PID 2864 wrote to memory of 2640	2864	igfxdpc32.exe	34
PID 2864 wrote to memory of 2640	2864	igfxdpc32.exe	34
PID 2640 wrote to memory of 3004	2640	igfxdpc32.exe	35
PID 2640 wrote to memory of 3004	2640	igfxdpc32.exe	35
PID 2640 wrote to memory of 3004	2640	igfxdpc32.exe	35
PID 2640 wrote to memory of 3004	2640	igfxdpc32.exe	35
PID 3004 wrote to memory of 236	3004	igfxdpc32.exe	36
PID 3004 wrote to memory of 236	3004	igfxdpc32.exe	36
PID 3004 wrote to memory of 236	3004	igfxdpc32.exe	36
PID 3004 wrote to memory of 236	3004	igfxdpc32.exe	36
PID 236 wrote to memory of 1880	236	igfxdpc32.exe	37
PID 236 wrote to memory of 1880	236	igfxdpc32.exe	37
PID 236 wrote to memory of 1880	236	igfxdpc32.exe	37
PID 236 wrote to memory of 1880	236	igfxdpc32.exe	37
PID 1880 wrote to memory of 1912	1880	igfxdpc32.exe	38
PID 1880 wrote to memory of 1912	1880	igfxdpc32.exe	38
PID 1880 wrote to memory of 1912	1880	igfxdpc32.exe	38
PID 1880 wrote to memory of 1912	1880	igfxdpc32.exe	38
PID 1912 wrote to memory of 2016	1912	igfxdpc32.exe	39
PID 1912 wrote to memory of 2016	1912	igfxdpc32.exe	39
PID 1912 wrote to memory of 2016	1912	igfxdpc32.exe	39
PID 1912 wrote to memory of 2016	1912	igfxdpc32.exe	39
PID 2016 wrote to memory of 2684	2016	igfxdpc32.exe	40
PID 2016 wrote to memory of 2684	2016	igfxdpc32.exe	40
PID 2016 wrote to memory of 2684	2016	igfxdpc32.exe	40
PID 2016 wrote to memory of 2684	2016	igfxdpc32.exe	40
PID 2684 wrote to memory of 2476	2684	igfxdpc32.exe	41
PID 2684 wrote to memory of 2476	2684	igfxdpc32.exe	41
PID 2684 wrote to memory of 2476	2684	igfxdpc32.exe	41
PID 2684 wrote to memory of 2476	2684	igfxdpc32.exe	41
PID 2476 wrote to memory of 2036	2476	igfxdpc32.exe	42
PID 2476 wrote to memory of 2036	2476	igfxdpc32.exe	42
PID 2476 wrote to memory of 2036	2476	igfxdpc32.exe	42
PID 2476 wrote to memory of 2036	2476	igfxdpc32.exe	42
PID 2036 wrote to memory of 2392	2036	igfxdpc32.exe	43
PID 2036 wrote to memory of 2392	2036	igfxdpc32.exe	43
PID 2036 wrote to memory of 2392	2036	igfxdpc32.exe	43
PID 2036 wrote to memory of 2392	2036	igfxdpc32.exe	43
PID 2392 wrote to memory of 2952	2392	igfxdpc32.exe	44
PID 2392 wrote to memory of 2952	2392	igfxdpc32.exe	44
PID 2392 wrote to memory of 2952	2392	igfxdpc32.exe	44
PID 2392 wrote to memory of 2952	2392	igfxdpc32.exe	44
PID 2952 wrote to memory of 1632	2952	igfxdpc32.exe	45
PID 2952 wrote to memory of 1632	2952	igfxdpc32.exe	45
PID 2952 wrote to memory of 1632	2952	igfxdpc32.exe	45
PID 2952 wrote to memory of 1632	2952	igfxdpc32.exe	45
PID 1632 wrote to memory of 2532	1632	igfxdpc32.exe	46
PID 1632 wrote to memory of 2532	1632	igfxdpc32.exe	46
PID 1632 wrote to memory of 2532	1632	igfxdpc32.exe	46
PID 1632 wrote to memory of 2532	1632	igfxdpc32.exe	46

C:\Users\Admin\AppData\Local\Temp\8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8f69bf18abeb7f6df4399ea9442b81ac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\igfxdpc32.exe
  "C:\Windows\system32\igfxdpc32.exe" C:\Users\Admin\AppData\Local\Temp\8F69BF~1.EXE
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\igfxdpc32.exe
    "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\igfxdpc32.exe
      "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:236
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        33⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        34⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        37⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        38⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        39⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        40⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        41⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        42⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        43⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        44⤵
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        46⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        47⤵
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        48⤵
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        49⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\igfxdpc32.exe
        
        "C:\Windows\system32\igfxdpc32.exe" C:\Windows\SysWOW64\IGFXDP~1.EXE
        51⤵
        
        PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\igfxdpc32.exe

Filesize
230KB

MD5
8f69bf18abeb7f6df4399ea9442b81ac

SHA1
ad3d2573709166484167deca2275305c345a573d

SHA256
1a36a167bda88e4d6fc041f1485aa6052faad870fc0d4969c6c4df40d023c053

SHA512
4a879875cd543f59d87ff12593eaef8a157b3b87ccb394e9a620aac84b5d784746e9bf2304a9824538f92781411fd4a99e75370fe9268ba49131e9212dad7361

Download Submit
memory/236-65-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/236-59-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/344-212-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/468-196-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/468-193-0x00000000032C0000-0x000000000334B000-memory.dmp

Filesize
556KB

Download
memory/468-191-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/868-224-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/868-219-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/876-131-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/876-134-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/928-235-0x00000000032F0000-0x000000000337B000-memory.dmp

Filesize
556KB

Download
memory/928-238-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1268-216-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1268-213-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1292-174-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1292-171-0x0000000003450000-0x00000000034DB000-memory.dmp

Filesize
556KB

Download
memory/1292-170-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1296-199-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1396-209-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1396-205-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1480-165-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1480-256-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1492-138-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1492-140-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1520-22-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1520-15-0x0000000003260000-0x00000000032EB000-memory.dmp

Filesize
556KB

Download
memory/1520-4-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1520-3-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1520-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1520-2-0x0000000000472000-0x000000000048A000-memory.dmp

Filesize
96KB

Download
memory/1520-17-0x0000000003260000-0x00000000032EB000-memory.dmp

Filesize
556KB

Download
memory/1520-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1632-121-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1748-201-0x0000000003060000-0x00000000030EB000-memory.dmp

Filesize
556KB

Download
memory/1748-200-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1748-204-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1880-69-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1884-168-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1884-166-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1912-77-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2016-82-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2036-104-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2036-102-0x0000000003380000-0x000000000340B000-memory.dmp

Filesize
556KB

Download
memory/2040-175-0x0000000003340000-0x00000000033CB000-memory.dmp

Filesize
556KB

Download
memory/2040-178-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2068-230-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2104-192-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2148-226-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2180-143-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2180-142-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2232-153-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2392-109-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2392-105-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2436-187-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2436-184-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2456-137-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2476-94-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2512-23-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2512-27-0x0000000003220000-0x00000000032AB000-memory.dmp

Filesize
556KB

Download
memory/2512-19-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2512-20-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2512-233-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2512-231-0x0000000003160000-0x00000000031EB000-memory.dmp

Filesize
556KB

Download
memory/2512-18-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2512-32-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2512-29-0x0000000003220000-0x00000000032AB000-memory.dmp

Filesize
556KB

Download
memory/2532-124-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2532-130-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2532-185-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2600-247-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2600-155-0x0000000003360000-0x00000000033EB000-memory.dmp

Filesize
556KB

Download
memory/2600-158-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2600-252-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2628-249-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2628-246-0x0000000003260000-0x00000000032EB000-memory.dmp

Filesize
556KB

Download
memory/2640-50-0x00000000031C0000-0x000000000324B000-memory.dmp

Filesize
556KB

Download
memory/2640-52-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2664-218-0x0000000003260000-0x00000000032EB000-memory.dmp

Filesize
556KB

Download
memory/2664-221-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2684-90-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2716-37-0x00000000033A0000-0x000000000342B000-memory.dmp

Filesize
556KB

Download
memory/2716-39-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2724-244-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2744-159-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2744-161-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2744-255-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2792-149-0x0000000003260000-0x00000000032EB000-memory.dmp

Filesize
556KB

Download
memory/2792-241-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2792-151-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2820-207-0x00000000048E0000-0x000000000496B000-memory.dmp

Filesize
556KB

Download
memory/2820-146-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2864-44-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2892-183-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2892-179-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2892-180-0x00000000033B0000-0x000000000343B000-memory.dmp

Filesize
556KB

Download
memory/2952-117-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3004-56-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download