metasploit | 9b52078c49b89a3005893b903f86e6cbe56858ac48d6ff4da88df4ca564eb369

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
Size

312KB
MD5

d7d11b49bf59d1b0729f371ea099dc9f
SHA1

0c79c2e672e942f09008cd9e8cc008fa105f7525
SHA256

9b52078c49b89a3005893b903f86e6cbe56858ac48d6ff4da88df4ca564eb369
SHA512

48a2db43ae5a2ee78d8eb305dcbfc179047a2023bf8318974f1ea072461ff657041d734a505a45ec822ec7eb5c25f2b0f1ba7e4c06403cffbc93b0f8cfbe91ae
SSDEEP

6144:j0Dd6+SD+dYnY9cCxaTVfbtTkyrfX4y2NRxzCOfKKm8V:AM+SD+2n7CxaRbjrfX4yURJm

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxdxr32.exe

Deletes itself 1 IoCs

pid	Process
1852	igfxdxr32.exe

Executes dropped EXE 20 IoCs

pid	Process
1852	igfxdxr32.exe
4080	igfxdxr32.exe
2716	igfxdxr32.exe
1092	igfxdxr32.exe
3476	igfxdxr32.exe
3700	igfxdxr32.exe
3336	igfxdxr32.exe
3128	igfxdxr32.exe
4756	igfxdxr32.exe
3228	igfxdxr32.exe
1800	igfxdxr32.exe
3628	igfxdxr32.exe
1776	igfxdxr32.exe
5068	igfxdxr32.exe
1504	igfxdxr32.exe
1164	igfxdxr32.exe
744	igfxdxr32.exe
1824	igfxdxr32.exe
4972	igfxdxr32.exe
4156	igfxdxr32.exe

Maps connected drives based on registry 3 TTPs 40 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdxr32.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdxr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe
File created	C:\Windows\SysWOW64\igfxdxr32.exe	igfxdxr32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs

pid	Process
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
1852	igfxdxr32.exe
4080	igfxdxr32.exe
2716	igfxdxr32.exe
1092	igfxdxr32.exe
3476	igfxdxr32.exe
3700	igfxdxr32.exe
3336	igfxdxr32.exe
3128	igfxdxr32.exe
4756	igfxdxr32.exe
3228	igfxdxr32.exe
1800	igfxdxr32.exe
3628	igfxdxr32.exe
1776	igfxdxr32.exe
5068	igfxdxr32.exe
1504	igfxdxr32.exe
1164	igfxdxr32.exe
744	igfxdxr32.exe
1824	igfxdxr32.exe
4972	igfxdxr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 20 IoCs

pid	pid_target	Process	procid_target
1188	2844	WerFault.exe	81
2064	1852	WerFault.exe	85
3704	4080	WerFault.exe	93
4984	2716	WerFault.exe	98
2332	1092	WerFault.exe	101
1052	3476	WerFault.exe	106
1260	3700	WerFault.exe	109
4516	3336	WerFault.exe	112
3420	3128	WerFault.exe	115
460	4756	WerFault.exe	118
4496	3228	WerFault.exe	121
4144	1800	WerFault.exe	124
3152	3628	WerFault.exe	127
1680	1776	WerFault.exe	130
4948	5068	WerFault.exe	133
4884	1504	WerFault.exe	136
4220	1164	WerFault.exe	139
4644	744	WerFault.exe	142
3200	1824	WerFault.exe	145
948	4972	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdxr32.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdxr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe
1852	igfxdxr32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1852	2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe	85
PID 2844 wrote to memory of 1852	2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe	85
PID 2844 wrote to memory of 1852	2844	d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe	85
PID 1852 wrote to memory of 4080	1852	igfxdxr32.exe	93
PID 1852 wrote to memory of 4080	1852	igfxdxr32.exe	93
PID 1852 wrote to memory of 4080	1852	igfxdxr32.exe	93
PID 4080 wrote to memory of 2716	4080	igfxdxr32.exe	98
PID 4080 wrote to memory of 2716	4080	igfxdxr32.exe	98
PID 4080 wrote to memory of 2716	4080	igfxdxr32.exe	98
PID 2716 wrote to memory of 1092	2716	igfxdxr32.exe	101
PID 2716 wrote to memory of 1092	2716	igfxdxr32.exe	101
PID 2716 wrote to memory of 1092	2716	igfxdxr32.exe	101
PID 1092 wrote to memory of 3476	1092	igfxdxr32.exe	106
PID 1092 wrote to memory of 3476	1092	igfxdxr32.exe	106
PID 1092 wrote to memory of 3476	1092	igfxdxr32.exe	106
PID 3476 wrote to memory of 3700	3476	igfxdxr32.exe	109
PID 3476 wrote to memory of 3700	3476	igfxdxr32.exe	109
PID 3476 wrote to memory of 3700	3476	igfxdxr32.exe	109
PID 3700 wrote to memory of 3336	3700	igfxdxr32.exe	112
PID 3700 wrote to memory of 3336	3700	igfxdxr32.exe	112
PID 3700 wrote to memory of 3336	3700	igfxdxr32.exe	112
PID 3336 wrote to memory of 3128	3336	igfxdxr32.exe	115
PID 3336 wrote to memory of 3128	3336	igfxdxr32.exe	115
PID 3336 wrote to memory of 3128	3336	igfxdxr32.exe	115
PID 3128 wrote to memory of 4756	3128	igfxdxr32.exe	118
PID 3128 wrote to memory of 4756	3128	igfxdxr32.exe	118
PID 3128 wrote to memory of 4756	3128	igfxdxr32.exe	118
PID 4756 wrote to memory of 3228	4756	igfxdxr32.exe	121
PID 4756 wrote to memory of 3228	4756	igfxdxr32.exe	121
PID 4756 wrote to memory of 3228	4756	igfxdxr32.exe	121
PID 3228 wrote to memory of 1800	3228	igfxdxr32.exe	124
PID 3228 wrote to memory of 1800	3228	igfxdxr32.exe	124
PID 3228 wrote to memory of 1800	3228	igfxdxr32.exe	124
PID 1800 wrote to memory of 3628	1800	igfxdxr32.exe	127
PID 1800 wrote to memory of 3628	1800	igfxdxr32.exe	127
PID 1800 wrote to memory of 3628	1800	igfxdxr32.exe	127
PID 3628 wrote to memory of 1776	3628	igfxdxr32.exe	130
PID 3628 wrote to memory of 1776	3628	igfxdxr32.exe	130
PID 3628 wrote to memory of 1776	3628	igfxdxr32.exe	130
PID 1776 wrote to memory of 5068	1776	igfxdxr32.exe	133
PID 1776 wrote to memory of 5068	1776	igfxdxr32.exe	133
PID 1776 wrote to memory of 5068	1776	igfxdxr32.exe	133
PID 5068 wrote to memory of 1504	5068	igfxdxr32.exe	136
PID 5068 wrote to memory of 1504	5068	igfxdxr32.exe	136
PID 5068 wrote to memory of 1504	5068	igfxdxr32.exe	136
PID 1504 wrote to memory of 1164	1504	igfxdxr32.exe	139
PID 1504 wrote to memory of 1164	1504	igfxdxr32.exe	139
PID 1504 wrote to memory of 1164	1504	igfxdxr32.exe	139
PID 1164 wrote to memory of 744	1164	igfxdxr32.exe	142
PID 1164 wrote to memory of 744	1164	igfxdxr32.exe	142
PID 1164 wrote to memory of 744	1164	igfxdxr32.exe	142
PID 744 wrote to memory of 1824	744	igfxdxr32.exe	145
PID 744 wrote to memory of 1824	744	igfxdxr32.exe	145
PID 744 wrote to memory of 1824	744	igfxdxr32.exe	145
PID 1824 wrote to memory of 4972	1824	igfxdxr32.exe	148
PID 1824 wrote to memory of 4972	1824	igfxdxr32.exe	148
PID 1824 wrote to memory of 4972	1824	igfxdxr32.exe	148
PID 4972 wrote to memory of 4156	4972	igfxdxr32.exe	151
PID 4972 wrote to memory of 4156	4972	igfxdxr32.exe	151
PID 4972 wrote to memory of 4156	4972	igfxdxr32.exe	151

C:\Users\Admin\AppData\Local\Temp\d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d7d11b49bf59d1b0729f371ea099dc9f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 336
  2⤵
  - Program crash
  PID:1188
- C:\Windows\SysWOW64\igfxdxr32.exe
  "C:\Windows\system32\igfxdxr32.exe" C:\Users\Admin\AppData\Local\Temp\D7D11B~1.EXE
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 224
    3⤵
    - Program crash
    PID:2064
- - C:\Windows\SysWOW64\igfxdxr32.exe
    "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 308
      4⤵
      Program crash
      PID:3704
  - - C:\Windows\SysWOW64\igfxdxr32.exe
      "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 304
        5⤵
        Program crash
        
        PID:4984
    - - C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 308
        6⤵
        Program crash
        
        PID:2332
      - C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 304
        7⤵
        Program crash
        
        PID:1052
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 304
        8⤵
        Program crash
        
        PID:1260
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 304
        9⤵
        Program crash
        
        PID:4516
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 304
        10⤵
        Program crash
        
        PID:3420
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 304
        11⤵
        Program crash
        
        PID:460
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 216
        12⤵
        Program crash
        
        PID:4496
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 304
        13⤵
        Program crash
        
        PID:4144
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 308
        14⤵
        Program crash
        
        PID:3152
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 308
        15⤵
        Program crash
        
        PID:1680
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 300
        16⤵
        Program crash
        
        PID:4948
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 308
        17⤵
        Program crash
        
        PID:4884
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 240
        18⤵
        Program crash
        
        PID:4220
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 216
        19⤵
        Program crash
        
        PID:4644
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 304
        20⤵
        Program crash
        
        PID:3200
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 304
        21⤵
        Program crash
        
        PID:948
        
        C:\Windows\SysWOW64\igfxdxr32.exe
        
        "C:\Windows\system32\igfxdxr32.exe" C:\Windows\SysWOW64\IGFXDX~1.EXE
        21⤵
        Executes dropped EXE
        
        PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2844 -ip 2844
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1852 -ip 1852
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4080 -ip 4080
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2716 -ip 2716
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1092 -ip 1092
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 212 -p 3476 -ip 3476
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3700 -ip 3700
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3336 -ip 3336
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3128 -ip 3128
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4756 -ip 4756
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3228 -ip 3228
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1800 -ip 1800
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3628 -ip 3628
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1776 -ip 1776
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5068 -ip 5068
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1504 -ip 1504
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 212 -p 1164 -ip 1164
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 212 -p 744 -ip 744
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1824 -ip 1824
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4972 -ip 4972
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxdxr32.exe

Filesize
312KB

MD5
d7d11b49bf59d1b0729f371ea099dc9f

SHA1
0c79c2e672e942f09008cd9e8cc008fa105f7525

SHA256
9b52078c49b89a3005893b903f86e6cbe56858ac48d6ff4da88df4ca564eb369

SHA512
48a2db43ae5a2ee78d8eb305dcbfc179047a2023bf8318974f1ea072461ff657041d734a505a45ec822ec7eb5c25f2b0f1ba7e4c06403cffbc93b0f8cfbe91ae

Download Submit
memory/744-120-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/744-117-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1092-64-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1092-59-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1164-116-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1504-112-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1776-103-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1800-94-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1824-125-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1852-43-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1852-39-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1852-47-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1852-42-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2716-61-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2844-41-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2844-4-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2844-1-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2844-0-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2844-2-0x0000000000477000-0x0000000000493000-memory.dmp

Filesize
112KB

Download
memory/2844-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3128-81-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3228-90-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3336-73-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3336-78-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3476-69-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3628-98-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3700-75-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4080-52-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4080-49-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4080-50-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4080-48-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4080-55-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4756-86-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4972-130-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/5068-108-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/5068-101-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download