metasploit | a61afb787ced74457ccbb12a3924f8d0758ff954a5520652210d81b3f2816caf

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
Size

175KB
MD5

9224de2a1bfd248fcea2f2a6d8665f13
SHA1

03e8eb0b8ee6758ebf75b0fa5992354964a9d02f
SHA256

a61afb787ced74457ccbb12a3924f8d0758ff954a5520652210d81b3f2816caf
SHA512

8fb6d09d1fe7817ac0c7e3c482e2b3057bdbdfbc300e7d27d59db05706463631e9d471e37b994afb962dea7faca98dfcb8b6930c0e225811050d6312b2770c4a
SSDEEP

3072:/ZQfuS4xdHdosuSVfEP1QlpRE3iauerBek970l00dHHD6bo6iCMU:/254xdHCSVI18iuerokt0VdHHOb3h

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 38 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	igfxsc32.exe

Deletes itself 1 IoCs

pid	Process
436	igfxsc32.exe

Executes dropped EXE 38 IoCs

pid	Process
436	igfxsc32.exe
5036	igfxsc32.exe
4912	igfxsc32.exe
4080	igfxsc32.exe
2820	igfxsc32.exe
4724	igfxsc32.exe
2972	igfxsc32.exe
780	igfxsc32.exe
3356	igfxsc32.exe
5004	igfxsc32.exe
4604	igfxsc32.exe
3956	igfxsc32.exe
3164	igfxsc32.exe
4080	igfxsc32.exe
4416	igfxsc32.exe
4236	igfxsc32.exe
760	igfxsc32.exe
888	igfxsc32.exe
4576	igfxsc32.exe
1716	igfxsc32.exe
2852	igfxsc32.exe
5036	igfxsc32.exe
3248	igfxsc32.exe
4864	igfxsc32.exe
4940	igfxsc32.exe
2676	igfxsc32.exe
4320	igfxsc32.exe
396	igfxsc32.exe
4444	igfxsc32.exe
332	igfxsc32.exe
2156	igfxsc32.exe
3264	igfxsc32.exe
5028	igfxsc32.exe
1996	igfxsc32.exe
3496	igfxsc32.exe
2192	igfxsc32.exe
1104	igfxsc32.exe
3432	igfxsc32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File created	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\igfxsc32.exe	igfxsc32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsc32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsc32.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsc32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3436	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
3436	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
3436	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
3436	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
436	igfxsc32.exe
436	igfxsc32.exe
436	igfxsc32.exe
436	igfxsc32.exe
5036	igfxsc32.exe
5036	igfxsc32.exe
5036	igfxsc32.exe
5036	igfxsc32.exe
4912	igfxsc32.exe
4912	igfxsc32.exe
4912	igfxsc32.exe
4912	igfxsc32.exe
4080	igfxsc32.exe
4080	igfxsc32.exe
4080	igfxsc32.exe
4080	igfxsc32.exe
2820	igfxsc32.exe
2820	igfxsc32.exe
2820	igfxsc32.exe
2820	igfxsc32.exe
4724	igfxsc32.exe
4724	igfxsc32.exe
4724	igfxsc32.exe
4724	igfxsc32.exe
2972	igfxsc32.exe
2972	igfxsc32.exe
2972	igfxsc32.exe
2972	igfxsc32.exe
780	igfxsc32.exe
780	igfxsc32.exe
780	igfxsc32.exe
780	igfxsc32.exe
3356	igfxsc32.exe
3356	igfxsc32.exe
3356	igfxsc32.exe
3356	igfxsc32.exe
5004	igfxsc32.exe
5004	igfxsc32.exe
5004	igfxsc32.exe
5004	igfxsc32.exe
4604	igfxsc32.exe
4604	igfxsc32.exe
4604	igfxsc32.exe
4604	igfxsc32.exe
3956	igfxsc32.exe
3956	igfxsc32.exe
3956	igfxsc32.exe
3956	igfxsc32.exe
3164	igfxsc32.exe
3164	igfxsc32.exe
3164	igfxsc32.exe
3164	igfxsc32.exe
4080	igfxsc32.exe
4080	igfxsc32.exe
4080	igfxsc32.exe
4080	igfxsc32.exe
4416	igfxsc32.exe
4416	igfxsc32.exe
4416	igfxsc32.exe
4416	igfxsc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 436	3436	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe	86
PID 3436 wrote to memory of 436	3436	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe	86
PID 3436 wrote to memory of 436	3436	9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe	86
PID 436 wrote to memory of 5036	436	igfxsc32.exe	88
PID 436 wrote to memory of 5036	436	igfxsc32.exe	88
PID 436 wrote to memory of 5036	436	igfxsc32.exe	88
PID 5036 wrote to memory of 4912	5036	igfxsc32.exe	91
PID 5036 wrote to memory of 4912	5036	igfxsc32.exe	91
PID 5036 wrote to memory of 4912	5036	igfxsc32.exe	91
PID 4912 wrote to memory of 4080	4912	igfxsc32.exe	92
PID 4912 wrote to memory of 4080	4912	igfxsc32.exe	92
PID 4912 wrote to memory of 4080	4912	igfxsc32.exe	92
PID 4080 wrote to memory of 2820	4080	igfxsc32.exe	93
PID 4080 wrote to memory of 2820	4080	igfxsc32.exe	93
PID 4080 wrote to memory of 2820	4080	igfxsc32.exe	93
PID 2820 wrote to memory of 4724	2820	igfxsc32.exe	94
PID 2820 wrote to memory of 4724	2820	igfxsc32.exe	94
PID 2820 wrote to memory of 4724	2820	igfxsc32.exe	94
PID 4724 wrote to memory of 2972	4724	igfxsc32.exe	95
PID 4724 wrote to memory of 2972	4724	igfxsc32.exe	95
PID 4724 wrote to memory of 2972	4724	igfxsc32.exe	95
PID 2972 wrote to memory of 780	2972	igfxsc32.exe	97
PID 2972 wrote to memory of 780	2972	igfxsc32.exe	97
PID 2972 wrote to memory of 780	2972	igfxsc32.exe	97
PID 780 wrote to memory of 3356	780	igfxsc32.exe	99
PID 780 wrote to memory of 3356	780	igfxsc32.exe	99
PID 780 wrote to memory of 3356	780	igfxsc32.exe	99
PID 3356 wrote to memory of 5004	3356	igfxsc32.exe	100
PID 3356 wrote to memory of 5004	3356	igfxsc32.exe	100
PID 3356 wrote to memory of 5004	3356	igfxsc32.exe	100
PID 5004 wrote to memory of 4604	5004	igfxsc32.exe	101
PID 5004 wrote to memory of 4604	5004	igfxsc32.exe	101
PID 5004 wrote to memory of 4604	5004	igfxsc32.exe	101
PID 4604 wrote to memory of 3956	4604	igfxsc32.exe	102
PID 4604 wrote to memory of 3956	4604	igfxsc32.exe	102
PID 4604 wrote to memory of 3956	4604	igfxsc32.exe	102
PID 3956 wrote to memory of 3164	3956	igfxsc32.exe	103
PID 3956 wrote to memory of 3164	3956	igfxsc32.exe	103
PID 3956 wrote to memory of 3164	3956	igfxsc32.exe	103
PID 3164 wrote to memory of 4080	3164	igfxsc32.exe	104
PID 3164 wrote to memory of 4080	3164	igfxsc32.exe	104
PID 3164 wrote to memory of 4080	3164	igfxsc32.exe	104
PID 4080 wrote to memory of 4416	4080	igfxsc32.exe	105
PID 4080 wrote to memory of 4416	4080	igfxsc32.exe	105
PID 4080 wrote to memory of 4416	4080	igfxsc32.exe	105
PID 4416 wrote to memory of 4236	4416	igfxsc32.exe	106
PID 4416 wrote to memory of 4236	4416	igfxsc32.exe	106
PID 4416 wrote to memory of 4236	4416	igfxsc32.exe	106
PID 4236 wrote to memory of 760	4236	igfxsc32.exe	107
PID 4236 wrote to memory of 760	4236	igfxsc32.exe	107
PID 4236 wrote to memory of 760	4236	igfxsc32.exe	107
PID 760 wrote to memory of 888	760	igfxsc32.exe	108
PID 760 wrote to memory of 888	760	igfxsc32.exe	108
PID 760 wrote to memory of 888	760	igfxsc32.exe	108
PID 888 wrote to memory of 4576	888	igfxsc32.exe	109
PID 888 wrote to memory of 4576	888	igfxsc32.exe	109
PID 888 wrote to memory of 4576	888	igfxsc32.exe	109
PID 4576 wrote to memory of 1716	4576	igfxsc32.exe	110
PID 4576 wrote to memory of 1716	4576	igfxsc32.exe	110
PID 4576 wrote to memory of 1716	4576	igfxsc32.exe	110
PID 1716 wrote to memory of 2852	1716	igfxsc32.exe	111
PID 1716 wrote to memory of 2852	1716	igfxsc32.exe	111
PID 1716 wrote to memory of 2852	1716	igfxsc32.exe	111
PID 2852 wrote to memory of 5036	2852	igfxsc32.exe	112

C:\Users\Admin\AppData\Local\Temp\9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9224de2a1bfd248fcea2f2a6d8665f13_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\igfxsc32.exe
  "C:\Windows\system32\igfxsc32.exe" C:\Users\Admin\AppData\Local\Temp\9224DE~1.EXE
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\igfxsc32.exe
    "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\SysWOW64\igfxsc32.exe
      "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4080
      - C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\igfxsc32.exe
        
        "C:\Windows\system32\igfxsc32.exe" C:\Windows\SysWOW64\igfxsc32.exe
        39⤵
        Executes dropped EXE
        Maps connected drives based on registry
        
        PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxsc32.exe

Filesize
175KB

MD5
9224de2a1bfd248fcea2f2a6d8665f13

SHA1
03e8eb0b8ee6758ebf75b0fa5992354964a9d02f

SHA256
a61afb787ced74457ccbb12a3924f8d0758ff954a5520652210d81b3f2816caf

SHA512
8fb6d09d1fe7817ac0c7e3c482e2b3057bdbdfbc300e7d27d59db05706463631e9d471e37b994afb962dea7faca98dfcb8b6930c0e225811050d6312b2770c4a

Download Submit
memory/332-105-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/396-97-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/396-101-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/436-36-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/760-75-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/780-53-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/780-50-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/888-77-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/1104-118-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/1716-81-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/1996-114-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/2156-108-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/2192-117-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/2676-95-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/2820-45-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/2852-83-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/2972-51-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/3164-66-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/3248-88-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/3248-86-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/3264-110-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/3356-56-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/3436-0-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/3436-34-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/3496-116-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/3956-64-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4080-42-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4080-68-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4236-73-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4320-98-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4416-70-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4444-103-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4576-79-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4604-61-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4724-48-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4864-90-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4912-40-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/4940-92-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/5004-55-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/5004-59-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/5028-112-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/5036-85-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download
memory/5036-38-0x0000000016270000-0x00000000162D8000-memory.dmp

Filesize
416KB

Download