Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 23:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe
-
Size
256KB
-
MD5
bacc6ba0024e93112bfbccea47c2dcc9
-
SHA1
61b715fa81014bff4e1ff61f17e410e4e71ac43e
-
SHA256
185ac0859f53e0e7b63b8b86ebe9f90c9493d6ea8998dc29650cccb3856181fb
-
SHA512
4f182b05908f758a4a52f84331856a680d78f2c29ae68bf0b1ead4011198e16b63134eb9d3299b5f2ddf27ea02429ddfa8d47a401e329c2298ed106664b72ba4
-
SSDEEP
6144:mpJ8jvef75RHaQPIBTBwi++M1+tDNfXlgNmxiIZx:mQmFRfwBGi+lwtDNf1gExiu
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 43 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation igfxdfb86.exe -
Deletes itself 1 IoCs
pid Process 2096 igfxdfb86.exe -
Executes dropped EXE 43 IoCs
pid Process 2096 igfxdfb86.exe 1676 igfxdfb86.exe 112 igfxdfb86.exe 1928 igfxdfb86.exe 3196 igfxdfb86.exe 3596 igfxdfb86.exe 1500 igfxdfb86.exe 3004 igfxdfb86.exe 4300 igfxdfb86.exe 2372 igfxdfb86.exe 3460 igfxdfb86.exe 3872 igfxdfb86.exe 1636 igfxdfb86.exe 2104 igfxdfb86.exe 2332 igfxdfb86.exe 3020 igfxdfb86.exe 224 igfxdfb86.exe 3448 igfxdfb86.exe 1252 igfxdfb86.exe 3212 igfxdfb86.exe 4976 igfxdfb86.exe 884 igfxdfb86.exe 4740 igfxdfb86.exe 4852 igfxdfb86.exe 3512 igfxdfb86.exe 3540 igfxdfb86.exe 4424 igfxdfb86.exe 1828 igfxdfb86.exe 4696 igfxdfb86.exe 1464 igfxdfb86.exe 4516 igfxdfb86.exe 2012 igfxdfb86.exe 1520 igfxdfb86.exe 1368 igfxdfb86.exe 4264 igfxdfb86.exe 3476 igfxdfb86.exe 2580 igfxdfb86.exe 1092 igfxdfb86.exe 4176 igfxdfb86.exe 764 igfxdfb86.exe 4680 igfxdfb86.exe 3064 igfxdfb86.exe 312 igfxdfb86.exe -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdfb86.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File opened for modification C:\Windows\SysWOW64\ igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe igfxdfb86.exe File created C:\Windows\SysWOW64\igfxdfb86.exe bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxdfb86.exe -
Modifies registry class 43 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdfb86.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe 2096 igfxdfb86.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4688 wrote to memory of 2096 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 83 PID 4688 wrote to memory of 2096 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 83 PID 4688 wrote to memory of 2096 4688 bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe 83 PID 2096 wrote to memory of 1676 2096 igfxdfb86.exe 85 PID 2096 wrote to memory of 1676 2096 igfxdfb86.exe 85 PID 2096 wrote to memory of 1676 2096 igfxdfb86.exe 85 PID 1676 wrote to memory of 112 1676 igfxdfb86.exe 92 PID 1676 wrote to memory of 112 1676 igfxdfb86.exe 92 PID 1676 wrote to memory of 112 1676 igfxdfb86.exe 92 PID 112 wrote to memory of 1928 112 igfxdfb86.exe 95 PID 112 wrote to memory of 1928 112 igfxdfb86.exe 95 PID 112 wrote to memory of 1928 112 igfxdfb86.exe 95 PID 1928 wrote to memory of 3196 1928 igfxdfb86.exe 100 PID 1928 wrote to memory of 3196 1928 igfxdfb86.exe 100 PID 1928 wrote to memory of 3196 1928 igfxdfb86.exe 100 PID 3196 wrote to memory of 3596 3196 igfxdfb86.exe 101 PID 3196 wrote to memory of 3596 3196 igfxdfb86.exe 101 PID 3196 wrote to memory of 3596 3196 igfxdfb86.exe 101 PID 3596 wrote to memory of 1500 3596 igfxdfb86.exe 102 PID 3596 wrote to memory of 1500 3596 igfxdfb86.exe 102 PID 3596 wrote to memory of 1500 3596 igfxdfb86.exe 102 PID 1500 wrote to memory of 3004 1500 igfxdfb86.exe 103 PID 1500 wrote to memory of 3004 1500 igfxdfb86.exe 103 PID 1500 wrote to memory of 3004 1500 igfxdfb86.exe 103 PID 3004 wrote to memory of 4300 3004 igfxdfb86.exe 106 PID 3004 wrote to memory of 4300 3004 igfxdfb86.exe 106 PID 3004 wrote to memory of 4300 3004 igfxdfb86.exe 106 PID 4300 wrote to memory of 2372 4300 igfxdfb86.exe 108 PID 4300 wrote to memory of 2372 4300 igfxdfb86.exe 108 PID 4300 wrote to memory of 2372 4300 igfxdfb86.exe 108 PID 2372 wrote to memory of 3460 2372 igfxdfb86.exe 109 PID 2372 wrote to memory of 3460 2372 igfxdfb86.exe 109 PID 2372 wrote to memory of 3460 2372 igfxdfb86.exe 109 PID 3460 wrote to memory of 3872 3460 igfxdfb86.exe 110 PID 3460 wrote to memory of 3872 3460 igfxdfb86.exe 110 PID 3460 wrote to memory of 3872 3460 igfxdfb86.exe 110 PID 3872 wrote to memory of 1636 3872 igfxdfb86.exe 111 PID 3872 wrote to memory of 1636 3872 igfxdfb86.exe 111 PID 3872 wrote to memory of 1636 3872 igfxdfb86.exe 111 PID 1636 wrote to memory of 2104 1636 igfxdfb86.exe 112 PID 1636 wrote to memory of 2104 1636 igfxdfb86.exe 112 PID 1636 wrote to memory of 2104 1636 igfxdfb86.exe 112 PID 2104 wrote to memory of 2332 2104 igfxdfb86.exe 113 PID 2104 wrote to memory of 2332 2104 igfxdfb86.exe 113 PID 2104 wrote to memory of 2332 2104 igfxdfb86.exe 113 PID 2332 wrote to memory of 3020 2332 igfxdfb86.exe 114 PID 2332 wrote to memory of 3020 2332 igfxdfb86.exe 114 PID 2332 wrote to memory of 3020 2332 igfxdfb86.exe 114 PID 3020 wrote to memory of 224 3020 igfxdfb86.exe 115 PID 3020 wrote to memory of 224 3020 igfxdfb86.exe 115 PID 3020 wrote to memory of 224 3020 igfxdfb86.exe 115 PID 224 wrote to memory of 3448 224 igfxdfb86.exe 116 PID 224 wrote to memory of 3448 224 igfxdfb86.exe 116 PID 224 wrote to memory of 3448 224 igfxdfb86.exe 116 PID 3448 wrote to memory of 1252 3448 igfxdfb86.exe 117 PID 3448 wrote to memory of 1252 3448 igfxdfb86.exe 117 PID 3448 wrote to memory of 1252 3448 igfxdfb86.exe 117 PID 1252 wrote to memory of 3212 1252 igfxdfb86.exe 118 PID 1252 wrote to memory of 3212 1252 igfxdfb86.exe 118 PID 1252 wrote to memory of 3212 1252 igfxdfb86.exe 118 PID 3212 wrote to memory of 4976 3212 igfxdfb86.exe 119 PID 3212 wrote to memory of 4976 3212 igfxdfb86.exe 119 PID 3212 wrote to memory of 4976 3212 igfxdfb86.exe 119 PID 4976 wrote to memory of 884 4976 igfxdfb86.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bacc6ba0024e93112bfbccea47c2dcc9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Users\Admin\AppData\Local\Temp\BACC6B~1.EXE2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE3⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE4⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE5⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE9⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE11⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE13⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE15⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE17⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE19⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE21⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE23⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4740 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE25⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE27⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE29⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4696 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE31⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4516 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE33⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE35⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE39⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE41⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE43⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\igfxdfb86.exe"C:\Windows\system32\igfxdfb86.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE44⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5bacc6ba0024e93112bfbccea47c2dcc9
SHA161b715fa81014bff4e1ff61f17e410e4e71ac43e
SHA256185ac0859f53e0e7b63b8b86ebe9f90c9493d6ea8998dc29650cccb3856181fb
SHA5124f182b05908f758a4a52f84331856a680d78f2c29ae68bf0b1ead4011198e16b63134eb9d3299b5f2ddf27ea02429ddfa8d47a401e329c2298ed106664b72ba4